Malware Analysis Report

2025-03-15 04:34

Sample ID 241027-1dfvca1jdy
Target 76093511e47066096d20a881a960b433_JaffaCakes118
SHA256 26ce2133eade07dd0eb3233616ff027e1aef0e852b469f826fbe3fbee88de93d
Tags
discovery adware spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

26ce2133eade07dd0eb3233616ff027e1aef0e852b469f826fbe3fbee88de93d

Threat Level: Shows suspicious behavior

The file 76093511e47066096d20a881a960b433_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery adware spyware stealer upx

Reads user/profile data of web browsers

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Drops Chrome extension

Installs/modifies Browser Helper Object

Checks installed software on the system

UPX packed file

Drops file in Program Files directory

Browser Information Discovery

Program crash

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 21:31

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:34

Platform

win7-20241023-en

Max time kernel

119s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 224

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:34

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2696 wrote to memory of 4948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2696 wrote to memory of 4948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2696 wrote to memory of 4948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4948 -ip 4948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 78.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\manifest.json C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\ = "CrossriderApp0035382" C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\hosts\hosts-codedownloader.exe C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-helper.exe C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil64.exe C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil.dll C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil64.dll C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil.exe C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts.ico C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-bho.dll C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\background.html C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-bg.exe C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\Installer.log C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\hosts\hosts-codedownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\hosts\hosts-bg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\hosts\hosts-helper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppName = "hosts-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppName = "hosts-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\hosts-bg.exe = "8000" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f} C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\Policy = "1" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppName = "hosts-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e} C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppName = "hosts-helper.exe" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634} C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65} C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4} C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppName = "hosts-bg.exe" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer\ = "CrossriderApp0035382" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ = "hosts" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID\ = "CrossriderApp0035382.BHO.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\ = "CrossriderApp0035382" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\hosts" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\ = "CrossriderApp0035382 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID\ = "{11111111-1111-1111-1111-110311531182}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe
PID 2260 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe
PID 2260 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe
PID 1280 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1704 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1704 wrote to memory of 3416 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 4468 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 4468 wrote to memory of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe
PID 1280 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-codedownloader.exe
PID 1280 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-codedownloader.exe
PID 1280 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-codedownloader.exe
PID 1280 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-helper.exe
PID 1280 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-helper.exe
PID 1280 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-helper.exe
PID 1280 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1280 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1280 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1280 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-bg.exe
PID 1280 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-bg.exe
PID 1280 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-bg.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110311531182} = "1" C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe"

C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe

"C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\CookieDbIndex.bat

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "INSERT INTO Databases (origin, name, description, estimated_size) VALUES('chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0','crossrider_cookies_35382','Crossrider Cookies Store',50 * 1024 * 1024);"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\CookieDbIndex.bat

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallerParams','{\"value\" : { \"source_id\" : \"0\", \"sub_id\" : \"0\", \"uzid\" : \"0\" } }','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallationTime','{\"value\" : 1730064774}','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallationThankYouPage','{\"value\" : false}','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO internaldb (name,value,expires) values('InstallerIdentifiers','{\"value\" : { \"installer_bic\" : \"307BCCF1C1E443E881E6BA6EC5BF2FECIE\", \"installer_verifier\" : \"16063b7367d16a6ed107c6ee8dda7e3b\" } }','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO internaldb (name,value,expires) values('chrome_enabled','{\"value\" : true}','2111-09-11 21:16:31');"

C:\Program Files (x86)\hosts\hosts-codedownloader.exe

"C:\Program Files (x86)\hosts\hosts-codedownloader.exe" /installapp /agentregpath='hosts' /appid=35382 /srcid='0' /subid='0' /zdata='0' /bic=307BCCF1C1E443E881E6BA6EC5BF2FECIE /verifier=16063b7367d16a6ed107c6ee8dda7e3b /installerversion=1_27_153 /installerfullversion=1.27.153.7 /installationtime=1730064774 /statsdomain=http://stats.weservstats.com /errorsdomain=http://errors.weservstats.com /codedownloaddomain=http://app-static.crossrider.com /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log'

C:\Program Files (x86)\hosts\hosts-helper.exe

"C:\Program Files (x86)\hosts\hosts-helper.exe" /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log'

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\hosts\hosts-bho.dll"

C:\Program Files (x86)\hosts\hosts-bg.exe

"C:\Program Files (x86)\hosts\hosts-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log'

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 stats.weservstats.com udp
US 8.8.8.8:53 app-static.crossrider.com udp
US 8.8.8.8:53 errors.weservstats.com udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\InstallerUtils.dll

MD5 156e15e3dfcc2f2ff2dbcc373fc11f53
SHA1 5ff52623dedd7efefac54dbd31b5d1bdf0f3e799
SHA256 4618571c27877641f83bfb312aa5b66ebe4a8954dc898ce4e640aeaea4dc0693
SHA512 d4930f0b49dae5386a92124b954d1b82921e07da2a9ffd9d854f6ab6f03473e591d3b67f0aa8ea19f83b480be705d829797e62825fda50ffb074bd4734b265b4

C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

C:\Users\Admin\AppData\Local\Temp\nsb96D3.tmp\Hnaadvbqr.exe

MD5 e92df8cf0d3988c26395a390df381024
SHA1 2ad26f6562595e6e16cf2bb468213099a7583aa1
SHA256 c4927a7adb6f99589eced1b4a6e4056f52245ae3015b927d70622121270be5e1
SHA512 add4d7c17bebed385024360d59f72e86d6af8bfa275f8e76aedc57a318828b2482ea3b1d272a98bca337b4bcf79aa6621cf1e00efea406f92e04c1d7a56f098f

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\nsislog.dll

MD5 e47100b70748fc790ffe6299cdf7ef2d
SHA1 ad2a9cd5f7c39121926b7c131816e7ba85aeead2
SHA256 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144
SHA512 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log

MD5 35085713808395ba1a23ab1013de83ef
SHA1 b388910ad85c7aeb931e3dd184c9429b7e25a725
SHA256 6c5c6b6f46b1451ba49b85a68177e918fc2ae8e97968b8c596c47293bda08b7f
SHA512 7d1d999a75cfd53e6e2d56eb82d6ad1a7ad411c16dc6926f24ba244c424ff5c609ea0d578eda9fb17dccf86514a8293ab07719610e43677e68e7dbf9eda839fd

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log

MD5 e9c8525e613974f5722ec4617b04325f
SHA1 37629ec814541d54b41e158eba974de4cf7e02be
SHA256 46f3b1917db32cf50a616dc68d77b6c2cb0ae22c21af9cedc7630ed461521107
SHA512 852597e184ad0038310b14cb6d7f1a743ea615b77e555af6d81854e1425c9f602b791ef622724d836f83a2ebecf7865ad997d87355ce19033186d57850e750d0

memory/1280-243-0x0000000003430000-0x0000000003439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log

MD5 bbc0ad3ab163dd1f0e7418c9b1b34815
SHA1 e373df3e7132e7b6ee28130a2a21b0f6406b271c
SHA256 a2f2154e4a8fffbe97371b5b4e9e9fecd2cb1b3baf56fc72a11ff9e89e238757
SHA512 f44efc14f58cf55830584a89154b2bd4a129eead131769ad18fd8cdb77aa61796e086fbf398ff999bd46a460f61d1659e9e22f8fabc1f52f2fa2a387abbe17dd

memory/1280-36-0x0000000003430000-0x0000000003440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

memory/1280-315-0x0000000003460000-0x0000000003470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp

MD5 db6715bdf5b2b5e760fff6f6879f20db
SHA1 aad3fbb9da6c7515c4bbb8602362bc03f6b0a4c9
SHA256 65952c10bd4d364832de4e56c2e161501758e88fea26df146e3a28d42b30f44f
SHA512 e3842ebea66e4f696db71b57ff6b4714d68acdaa8b38e5a83b3f4e086c45a08a5a47f917a6688ddaa21de97e7b91e157edeefaf4366833ceb286f390e093be64

memory/1280-447-0x0000000004310000-0x000000000433D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\ZipDLL.dll

MD5 2dc35ddcabcb2b24919b9afae4ec3091
SHA1 9eeed33c3abc656353a7ebd1c66af38cccadd939
SHA256 6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA512 0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\CRNSISPlugins.dll

MD5 e95a1945663079496ac8f6374bf08d44
SHA1 b4b35eae891b2e06b1f559b12587b6ca54c3e82c
SHA256 d22c4dba24a3fe2fee0e5e22bb1744b8b11e8e3dd4190267a9086c9efb514537
SHA512 e4140888236bc2759e09941c51f8f97be2a73ab996c60e4dc6e25a61d8e59f613f90fc9bb8c073ed0d463c0f91951fd04f20d272ec5383fd0ad2d5450abbc972

memory/1280-544-0x0000000004300000-0x0000000004310000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\icons\icon16.png

MD5 5fabc6d76523647c4b48b51fbd517408
SHA1 4d009569658443968cbca3516949c9632cbd25ae
SHA256 e17f7fa24d6ecd81bc2abb172a0c1eeceff830867ea45728eb93918eeb4c607a
SHA512 a6720e4ff1a68074e76d3d744bd45584f76c4b209a6b3badc82361dbb30b19ff1c5aeb30276b9ff991f3069e37716134400ae2fd85b209590db5a2e0ef3f2bde

memory/3416-572-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\ExecDos.dll

MD5 ebcf9f71d804abab3c2e5ce4c17dc22e
SHA1 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765
SHA256 d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993
SHA512 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1

memory/2808-597-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064774.log

MD5 c18ce26b70c7014e88ceb9551b7d053c
SHA1 8d6e34f63f8fa556838491b0ffe0288d74bdec50
SHA256 23839c51cca5c6f6c46581b205e3d56e2ef88b6105602a7331ac7c0208a6f93b
SHA512 9ff2a72e73bbf63b8b0f7efc3509306ab9437c1911e3809573e311bfb2c39ab606fda64d933b42e2d05b30b622de0014d2ae63151e4d6c54de4d8e877bddb108

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp

MD5 8ee8dfabbedf837a740ed2d1f19d6768
SHA1 f9462110b9623b63116387a3be9cf146845538c5
SHA256 01fcc24c1d9d68fcb99b7bccc254e660d4f01c6d0f5bf37af3ac0626912ae9d1
SHA512 8b6b802ecd54be30bb1ba9907912d81de174c4fc8470533e9cf5380cdfcda1c62a4893ab75108a598508791e540b92d592a36757ca6e3f9e66d479162b929c74

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\extensionCode\pageCode.js

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\button5.png

MD5 8b1eb9cb80417ec0022d278a44ab1dc7
SHA1 c49eb73f79e70b8ed96d91ef62f0bc344e41219a
SHA256 e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6
SHA512 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon128.png

MD5 68447a995095517de966faaaa441320d
SHA1 4229b0c045b7bfd1546cdc1f4e38c68135326fba
SHA256 f4223da0667e669eedaf4878678dae1637dec401ff7bde29dd56b8d1fc4e8d3c
SHA512 f52164a45b182c10bd36dd9fe34e5c047e8d55b6e86eaf4726efa40ef159ef6f586066b1660f45b2c6bd987f8ca90d0039e857e066db209837d9aaa1e8defe65

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5keoqj3l.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon48.png

MD5 12e783f1b55f54b719444e958d0f654e
SHA1 b147828f4af4fb86da89b0219ea7ff2da1d84a1c
SHA256 8b1bc99525aaa27b37216beda75ae7b457e0d8792b91506a736e7415f67788f1
SHA512 c44bb389bda5dba024c57cd4601c3dd5fe35a992c973eabd63aba4e8fb1e221e31ae06ad6e459b6c808f469fa14163722a11acc0624f43d797e5377e5e4486f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\install.rdf

MD5 d9714eb9c7ca8d6f12da011cb85a91b9
SHA1 083b561967c9354264d1eea9fb5c7e0bbe41e81b
SHA256 167c43e0790c97ce7d1c76969c37a8e314016b22ec5d10effabb7bc17d5c6499
SHA512 70cd919b42e7b7462261f1a46277786f92152ee3d9d07b021b7c44980e72051c2fce60a5488a192be87941a22f6563b9f5e475ec3510e097ebcea28ce1aebd44

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\defaults\preferences\prefs.js

MD5 260967b62a302147d44c771cdc3d2c9b
SHA1 fb83a8ccd8facac7c9edba98f6ce04274de8e903
SHA256 86cc451482895a5969813477f72812ae03fe462c7a11fb6f106d67905565f5ae
SHA512 18ca7c6d42fd4fa8f63f66df11b1f6c543c23420e11aa754d272a96e58a6665f7ebfe02d208cc3f92726998d4cecfa23ebf39a0e6ddd897b4196fd6a6172a84b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\locale\en-US\translations.dtd

MD5 aae23d78c89bb64103e8d668bff80223
SHA1 c0903224a450ec3b506ede665b2fd8624f94aaf6
SHA256 10762cb296f01536427e6592d4c79b08ac48b1c45d12e7b36aabcdd3c1bd299f
SHA512 79101b2fcaf52733b9f29607f15c4679c6ebb9edbe9caa44b3e138333737b5b1302aad9e78a788601b9d8c8e7355fc85e02b2d5f8b00c32cafe0d54a5c7b6d1e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\dialog.js

MD5 deab4dc957c13108352c4f014b242353
SHA1 bc63ae0c5744a1ad67821937873d1829ed64bb06
SHA256 caf871b1b90ce840acddd2cf04237dff5d3a992dce765a3996f630c669bd728c
SHA512 d1c59e171fc40e531e2a70542688d0c6d300e2cb9b68bef7b88d5ad35c985e6b1773c437a746215dc63eae185307441f804ea265ac98ea842cb0caf58056e784

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\search_dialog.xul

MD5 68e04f0a85d4cb05c54f268e5e59fdc9
SHA1 2a465323fb0d697226d481be9c599f94d62fd150
SHA256 d61aae08a32e9987caf41d35bad06f2a2cee4bc094bafca7afec0648a2edd1d6
SHA512 2853de596d4a669fc6e13646524646277a74743c81077f1ae6ed40d1972ee621a1e7522b1a017b55c1cc578831503b864020d26d1d992c1aba33afa4d34d5c9a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\main.js

MD5 a5be5ea81e0b1653d3fa31600a0a36e0
SHA1 dacb7a24b99dfb9dd4541b00e4241db7df7a219d
SHA256 ae4b7f033e53b8887c054e25fa6d3e7d754e2c97011632940685c84011e478f4
SHA512 39c69767688b0e483844b3b03a849a5075e2ae520559c15570b4509db1d125c2db43e7465193d57b9b7773c543c1e7c3dcf9247a402da7c8f0d87790226799c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\registry.js

MD5 769dbc56827458c72b7ad8098c91e7f7
SHA1 e8dbd8c650c6e35e064bee32e93200f713ea94d8
SHA256 2ff6758a857e848cc6d30ddc02d18000cc062048b1df0b9ab59e9b9cd08107c5
SHA512 36fb166d5f74cd17a79338192e67fbc1ae18cb68a9c0422513f1560d6c1b3d357e6a940a1cf5128fe4cf64dd199aa5c4bb7689d70e6887dd7fef01cc7f3d58aa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\updateManager.js

MD5 9fc11c16a573da4dba7764fc111a50cc
SHA1 4035d7a0a8383e1b93d64fc161e3274d5f428ae3
SHA256 5250fe36cd0617f8497a8f2da1003fbfebe97b01f26f030728a26d33a438fbd7
SHA512 060cc213c87cb7f86809f8d533d677171f798e5a32519f0467e4ee2605319210e87b666c784d49e490326595d482fc37ca840ced537e0b4161ebef4abd99301f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\progressListenerObserver.js

MD5 3e9a68cfaeb26b1bf7b39037a5670d38
SHA1 b6633a830be19b218af576417d0fec7ab5dff435
SHA256 96474c2cef1c5bc83df3d8bfc19d4853968925ea981b0a5c09b160fc15b59f18
SHA512 d5b85a1df2e678e70d50ab5e7cf1e84707288b8ad80327c9eb9f65b2c803378268adf3f44a43078080092acfa26611b0dced54c754ef0bcded03fdc3fd902e17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\consts.js

MD5 ef2e8bca169a0e83e6e1a1daaee07c4e
SHA1 a78279e9bd75e866a18f36cafdc4e4385d88610d
SHA256 2f39c546d790606df3c1885603984d2bfc94965222b48f6eed74447552114673
SHA512 7e86e8447570714ad1975617c159208d217132857775e465d12f9bd7902b7e65757c621841e7822db142ff045ec6a8ddd07767b92a845e3d3627e0acdf94b672

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\delegate.js

MD5 eec92acbcfa9d28b43b64aecc9e6c1ee
SHA1 d4253a3cd8810d575e1100c58f088d70e063889f
SHA256 1f3b9ab2bad072151166127c9bb92405e031ad8afdfe2f9dd5ebde86ccc0236f
SHA512 62f3856a5c2c5e408e68f2f4266a86c9f49411e92190d9e865144ebcae0907a401f2ee808bc7a8cb135504997a6afc71b7f7e85ff18c68175dde88b0e1b67b93

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\console.js

MD5 9844f60e1179aea762ef53ec0d542fa3
SHA1 25cb21241d80f8ed03dbdb1b3c1d6d487415acf0
SHA256 dc619581ed2a7ef130c5bc780ce0c18bff78ca27ce98a0689bf3178b2b2967a5
SHA512 d40b6f2b59bb32dde9309bc9533052559b17786afa899de5682f2f3322492fbc583323e84cc98cbdcf2f46d1b6767e71fdddd68dd9eb695c4d304de33836fed9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\pluginsManager.js

MD5 a92e9ce9e1e0ad01baa684c419ebbb8f
SHA1 850271a386aff13b2d2f16d3e70778cc8a655519
SHA256 a00e24fe9cfbbba7fb75c930449d86250c96644755fa3c78324fd7aa3eb04f9a
SHA512 469819873a662072279265323d2c5585137958387599bbd10c11a12c0e924b71232f23714b3e8f1690d6cfd1d27fd772d11a4cd3ef8afd94db9a7eecc228cb17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reloadObserver.js

MD5 0587e06fa0fb578c220245ddb95f7411
SHA1 52df8780d25418d6fb90725c9816080e01bc5024
SHA256 9ed7606361daf6580e6ad953e7c60e33ab4dfb0e07087c577aa4c9475276ed4f
SHA512 0a1ffc4cc91ba10c0998f7f574ae1f5a9f2010b4ab62610d780ff0ad72078f9d610a1bf906e5e8270d6ef68b9cc3d439a333757ab7e9fc32609cf2bec4271b78

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\searchSettings.js

MD5 b1d1b15628eeab4bd8ef82bea8b9110f
SHA1 845cbc7fc818ed1879cd3f53535fb1a0c951e2fd
SHA256 594d3976d286423db7a94be62ad9bbc5ca9d5144fb94c7f061f4a2e14e5b82f5
SHA512 6900766534d55f79c75fc53a7acd156ae4d53a336ef79ad8d8fb2b2be45c92233458fdfe971f0502b27e83848b35892ef58851b3b39e90aee1ae52fbf337f159

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\xhr.js

MD5 b4a678cc9885730cd03de0d100bdcc25
SHA1 b0771a929a9624c256b45124e6f0c999707380e8
SHA256 9cf418b2562821adfc68368a469d843e7dee0f0d087a45866c0d8279c52fcb29
SHA512 9caa0eaf2eb874d683c41f37265232630168983969e2a64dc666add6a4c3c5e82aa316489f7a3b383da5fc52efa4ea705eeeca39528c1c1c7b9dc01058e3189d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\browser.xul

MD5 a82c0de0f37da22a6e07ff2077e8f318
SHA1 ae361ae3f52c2f7240c6275a6c40166796107c30
SHA256 d0ef8d510db101253558497c1ebb21410da1f44653d59362cca22e55b5025172
SHA512 c3e8917e8f3eccbd9e2580edf7c009010aa76446d92f8cbf073b4072e483187b413580ae91d51abaeb7f8eb6eb8c01bf914c4119a1ba1878222ec03bce542bff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\prefs.js

MD5 e7ae2f5a14532b1b645d14bc04e4a12f
SHA1 592ba96aa9d7e448fe67e92228442f9312c1ae32
SHA256 6b97194d415ded6da5abcec8566073bc3714d2915ab48b2f96e4b5ca72043b67
SHA512 08cdc93db5de34e288449096f7c960a4a788ca73b436e2769a108fd2a479e59f26d79605d19422e73d67ed623a63952ce8103c166e68bac2ac78bae03192db10

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.js

MD5 80297932a5645e651b2bc05c65cb8cf6
SHA1 dfb36a890b134fc09bb003c583f93c978e717f7c
SHA256 12bdfbb75c0b57ed66756b12d52a8538ca83eae7f5c5c3574af3f24a0d38a78d
SHA512 f5e97c10ce845990601e0d1889bc6173888a971297792cf85d10f6fd77428c445f81fff56af0576bd365abb22583d43dbaad3cf958e01596bd904b72f893a275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\IDBWrapper.js

MD5 44bd338a01fc265a1f48feb6109cffd3
SHA1 21a16911d1a82b1ad847b7a9c94f95127eefca60
SHA256 4c2e7321e1db1e55ac0d22934c916467d45767c85a65843b942891f983102da6
SHA512 9039535ed0910662afb0148598e3326bc50641887e4dd8907734cf0d1093655ee3c481c0d2f7a5581e5846cac804e1c10c33b896f78895c858076b2c605569c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\utils.js

MD5 7f67b1f11066759f19de77335aa9e162
SHA1 5c689fbf820dded68beb78a0695569ea6b7a9e5d
SHA256 89e7e4c46c456bf2464a0997d864baa564da84eaf59306b153c38e08d643a00d
SHA512 7460af03a7360682481a8673a13cd675d88a52a5d565d8a84e379015b3355ef5e7e94e75c53047a7f3993478014aef457e85b6cba606b6af41ed3f7a434e676d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\uninstallObserver.js

MD5 1f7e4557cc0450b1b59f088534a972a9
SHA1 09ddb030e2634dc6cb6dc8bb99b035e35fb20dbd
SHA256 430d1975bfbdc7f878e442a0c8f9cf9d0a3a1c3a5752b5b13e226e11b2ba6aec
SHA512 078ec9639458bec7b7de1c399693b9004d9e6eb354dc130c65aa8cd2c3e78325f44388024c931e8135c90e92a3f82641ef8d2bd3f45c1beff75147377bcabafb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\request.js

MD5 7188f8b638a00a897acf7d6db9381c8b
SHA1 8394559d7791715741cf8f1dadebe7b7ad15132b
SHA256 306b1301a4f737d7a7995168a969bc730f26857a39949fcd4899d1dd0a6a3f9d
SHA512 dd950176cbe599602b660b767c1a85fac866b00d5b025886efc01d3e488e7b4e5392da3ac4b73956d753c102ac297373e0834022ffa06f0bfad07c78c6c833cf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\requestObject.js

MD5 58bb6d11d1eaf46767cc60de67cd9454
SHA1 d7c575929c2d14b8cc155879069fab443c44eb3a
SHA256 4b5d3e7c0a686c55dfdf2348533a6aa8ac2a768bad01673bbee717a92dce44b1
SHA512 41d1262f1b515f6990ba0ac41d446230d49873ecd90df6d14d6ecbf767a5aa923d2ee9405ef9cf0c96a9c323a1da125d84fb7c26bb1a19a02a8b05a01e725be3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\httpObserver.js

MD5 d84f78673765cd850eb1600fa60bfeb1
SHA1 bbf3b8f1a8c03b4733b326b9a36d02bb55902620
SHA256 dcb0ee2e8733c03f33347148eee0c60d910c0bf511c75c959b0e46eb9afcb915
SHA512 8714f8df6b813bc4d6ed78a1cb6697f2aea3525c3c48961b7e4feee2b43a601e137899fe88804b451c3d104a9d9d405a1daf82b7a510cf8bf7f1f38c22e94af6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\installer.js

MD5 fd3f295f1c17b33d7a80103564a7f221
SHA1 0d67ce68dd98f31c3c8c2152a23aab11b6a3fe28
SHA256 cb89a5f1f1d1bf601c8e257562287e5011cb982dab2a673658eb9c6f9065a9bb
SHA512 d499507d6b98a7247739d8083048317a133e625d57c650c1993395f753c9ed95c832dc792609b9d632cad007f142021c4ff0c1882b2ccbbcee4b70ad985bad1f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reports.js

MD5 60fd9774d8bb9d6eac945da719e68428
SHA1 6f04d94ad0c566f23f432d3457e8116c0f97c119
SHA256 0c4cc49edbd5ba2c99efb98fcba81d1390f87d1c6a7a749f0bec4bbf2adf0e2a
SHA512 20b7fc3a33eaa5042370965c2540fc5041ee3d188c912608e7d6c8d0632993c51dfd2b4a53e2b4ce1f02ba7b2874e228e968780aecf4db6b6f7c71eccc5935c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api.js

MD5 311200eb1ab011b88c0e9545a4d2d049
SHA1 d22bf13518c77d46e45d556adf6244a251ccd3a1
SHA256 6e8e5a4e707c5a0b8146387b44c66cdbd33a6e48c985e3800f9dced605f69545
SHA512 bca612da6341a485b4fdfd02197f02347b30e2b7cd0a23ebabdae6140de827af205afe59c62ab50749880593358e59a238d627523ba1fc81fe08cbee54553939

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\background.html

MD5 fb162e226ced64d0b4d6e53ed9f82eb9
SHA1 2b1d6ab496785d96ddcfc712a942a0d1de8ef018
SHA256 3f20ea55cdb879a1babf8ac3372e2cba7bd21586017e7e22dd49050cb1d03140
SHA512 864650849cdab6609f2219960e04ba33a1878bda8b76c326d08fb5ad5410b2a54e9c84c5c1a22efaba832e16e549fc2a7f59421b65db9f9566fc7c118f44daf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\baseObject.js

MD5 aaba4db5965550fa33599a2888151785
SHA1 fb472dd90e55164f05774d9778e97a644ed2628d
SHA256 b0e6494d211fdfc5b0eb3f6668ccbdfd8f99d065440e4c60776e32e1b574ff44
SHA512 19d805ec4989b4e9eff4c855c4ae871dc81346f801392e06229d0e359f96e16e05108e0ff4c6207f9fb72c40a9e6aa9aef4069c7c730bd02c316b8f4d597914f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.xul

MD5 275186e0a6d4ddabbf8bc8d1b00add5e
SHA1 e4b57588e9be7de99e4b057801977f3614bcbf9f
SHA256 9a36a603d325f00e102539ec8a5409b1b65318145fdadf70bdb8a429af471fd2
SHA512 d06d14889c105e5440232ddebc2bddea8061f6e040fd35a46c4a1858d6fd60d4397729160f7de0400c3cb556419fe6b3272b5ec20368a6cb0f68fe1589ea2e39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome.manifest

MD5 ba60b7b3decd2b1e30e55e4301e20de4
SHA1 61ee703b552a8826fe1086ecc5abee4d45bd92c8
SHA256 05c4744db6cacb64b25a23eff0c748ac24e6fb74e2791341cb26e154861e598b
SHA512 8893279ca4f4dc3ac4f4c91da402a759663b2aa3a5e2ac779be03fb3a242054d80c951c4d103faaa02abf103bf58d173fc50c417b0505cc918190fd718280fbf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxOmnibox.js

MD5 aee13ba60482e203c4bfc871339b624d
SHA1 a8c42a0844cdc5f5cd7ec7ac033c7fcd24ca96ba
SHA256 cb043a814632118b25b305ca6cb0abffa1e10a502df054f2a17554bedc299913
SHA512 06b3938eaf16459456704e8edc12171786954f707fe166820ca4fffa35c9e8724c82dcbdb88a5f0b24d842df40c041d6acec7ca10f4e85fe5d83b59132dae544

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\message.js

MD5 8a07017e0756e912aa9fe2fa7f722456
SHA1 ecd41edeea92e2e00f2b518afb1410bce30792bb
SHA256 1501c3e6e1b668a191ace44009710e603d9f036e3d4dc405654162f65674a953
SHA512 4e3ec3e61114b67a3c42c968c1a88afbb0b5d1119f98140991147e644463e7226cb2d7db17bdd6980ca206f6ee559e2fe775a009ec93f29fdcd1b9955b713123

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxNotifications.js

MD5 2cbb07727f1ad5480752694ba113854a
SHA1 19c82a1dfcd0e7a8bc442ce22ef268d699b9e674
SHA256 db1a27b86d4a1848cc0e8c5f1887ece15ebab250bcb025d1e0aa2d3c029d9b40
SHA512 9ad1b14c3febc6c74474680c7b6c02d8294f7f996940d4ca0d448cabcf2fe7f15249aae5fc67184c49d4a82bc236690f85403746932ca6df4e93197f209f1291

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dbManager.js

MD5 780b66c8196bd869af8eac63d695d9c9
SHA1 c02d465ce06fdc40e8adba0e463fa3b609fdf56a
SHA256 aa61b53209da3e4ac51c69326d7d31168cd14e34808d8c71784e804aa970e486
SHA512 54b8e3adff18652cdcd84a5759125d061e50a0f074ceac89a31085bb31096308244824e24980330b5c9d0f68c52a95eb85b3bb2ac36e3e5645bf2e3fcce71b70

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\background.js

MD5 bad0c2449513ec4ed9ca13eb55591aa8
SHA1 e260a391e5dc7913ab3b81fe8da607ee43fe45df
SHA256 e5be4a0d2f826fc13592de1befcab2b639ba169b3c74069f604dd16739d20779
SHA512 a545d32c4ea9313a30bca7c773f8c9bca640d98cf73fe1487c248ccf79d0cd916b122a0d71e5699343692cbcd3c326f10a0708a7263e794d720023d2c4e5c0eb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dom_bg.js

MD5 de002d9604f09b376b85159f289b75a3
SHA1 5c6c4ad17b914118f387863ee5982aa52ac34c09
SHA256 0e095eb0e16c343ac812721b182bea66498fca55ecd899ab5eabf9e0afb792ce
SHA512 a29071d597111b9e7335e5dacbaa19715950fe03072eebdbc15bcdd2021958d30522e4af00fa711059d0337f4af4c4913664ecf266177607228138c4cc2157dd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\update.css

MD5 36ab40a4b899472d25a3c872a7f9ad4d
SHA1 c29870d67d954de9c5c32783ce28cf7f77d13ec1
SHA256 4f0795bbc78e195bd977cf489c05543ac86bd10f95fbb83a5db11b17c7d7f664
SHA512 9626a7a269acebdbcacd31f4d5e4f70e57873cbd8eb4e835b2d4b52c863fecf6a27f474124b508a0fed8614bc6e3165be38b0930c7a96326afbb23343cca514a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\popup.html

MD5 cbdf4e688981915b95a3741d0c9d5fe5
SHA1 e4f188d057f04638443eab966002e7feb63bf61a
SHA256 af11066b4ff2a7d851cf85d97b655557240303c89b1615ca0ad753926af3602c
SHA512 9f83da8364e3722ff64c6feda4bd7acea4bebacce479c01e7be7ac59298c0907a3a6041c8724f40e8fdbd1056cb80e1450676eff581b1227b22a4747083ec451

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\skin.css

MD5 4bd957ddde2bb2e537060afcf55f1f72
SHA1 d0d4cb8fd259bde8e297fb68326c6a4a1bd6ce4c
SHA256 f3fee308a875a4d7cca4cea16ce548dd652df2f10ea8dd2d1aa11c2ecdef4b0f
SHA512 cd103bb1b7f1ccb2a483d8c974150d5b32676616d325564615da1e09b024e821a0df4a1e815f8b7dc7a6fd0eb1e70156bb186bd452040070036f96958e869d92

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\tabs.js

MD5 7d8a2c2c54f33325eb30368eba7564df
SHA1 72e5449067e0c85242cb28c8069cabd547908d50
SHA256 34989f3c20224496c68d06621e67628d3ab4dd5d558175593710c395369121ed
SHA512 22ff2058cbd8d2eba7ab56f6990ff9184932cd4aea29431a971d5e947758a69438d041b1cf19b5fa1942e83b14c6df54e625d3c69a03149dab40ee407134fc91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\browserAction.js

MD5 60c4db63eb127e64d24f7e9f37e43efb
SHA1 dc799abfd6c2538d0b37e85936e9b80bac02badd
SHA256 c11736a73ed063efe51c0fe49d236bdf7d3972ede001763749ed060b1b028581
SHA512 0dc9a6349d4bdbb533b4018ad768ba26051477f50a7f47d3ddf0b921bb05176d4133a2ddac2f1013df468f130aeb27b950fba9e6a8367ce206d8e8c8f67bc0e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\asyncDB.js

MD5 e377ef2d419e60d15b422da1295201fe
SHA1 92a1fea50dbb2853c5ebd95a039a5fe9ffae8c02
SHA256 3277002ef6bf5cce6c956dc6e0638c6091351b723023bb63416e60a034c1fe17
SHA512 cdca13250f0658cb17d217d8b898ed41ef256b8829c1e572ea2b966e6d5c23ef122274c192147e3387b4503a4230543eed4dc34a30fd14dbdb6d93b745b88626

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\contextMenu.js

MD5 ce25d7dd7d7e34dc5b92d25861cc2947
SHA1 6f459ce6d14b57ff1f9b5f9271a29a7dab59f880
SHA256 d8a5816494dbfc96b41c00913f4d61c30ebafd454b5d7107d3a876a2dd1dffe5
SHA512 cb0f3b6c24da47fb8458726db4341973e3f6ea5f738988b4c084493605662a0de330304f3369db0454a48ba28e9381de5be2a23e3f70508b19dff61fa9f81d7a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\fileManager.js

MD5 81b4df8409320d739e70e9d4cc4c62f7
SHA1 7f5e03ed6d5d66fb9a0d052761731d302df21eca
SHA256 7817b095e2386aa2aeafd5a7c3b0b974efaab2c71f0b3833ad344ff6c80d1e08
SHA512 c0839504db12cc2dafcc127cb0d25e29f1393c3d7b7ef6a74d0e5ea9656b9894cb7e7cd8c244eca2fa00b1df414bfd0638c22d37cb1049ed51e905a966417720

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefox.js

MD5 a1cd4406d7577807a698aa3995046192
SHA1 7dc6d8b6718d8e3042f9b959939eb6d1caaa4b57
SHA256 5609ed9fa249166c8dafe7eda048c86486574445244d2dc509fb617b87b5d7f7
SHA512 9421c2310562ad6f9026d7f710ebcfc4957022219e972db3424b5f926a7a5d5e85b8cc5d0ba47c0214d2514f90f31b32ed77f887b8279fd5e90b74ffc341768c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\webRequest.js

MD5 e8a80e409e40199e3309e5d37dfcfeaf
SHA1 b74ce420ab51a7af5901cc2f17b3ba19ff2b847d
SHA256 8e82ea7cc89b91e80b5bd904ae3efbc34daac4374f1c6089fa25ea9ec2ece2a9
SHA512 4e7ea24f342197675e1d1cebc61c16aa3173bda6e96d616d97f8978b180d601294c1c82f845209b1f5b3ce07dc71c1e75c042fa476415960cbc8b7017e6bb316

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\panelarrow-up.png

MD5 752c26453dc2fc989ed46f5920328edb
SHA1 a064ccc009ee36c20dd5a8aeeab1a335bf82bda2
SHA256 758210b28ee3298facef83c81272ef4121f337392ef5bdd44e47222ec4966beb
SHA512 b0c3c58ca36e7dfa9988bd68a0432b01db020420e3406653ae8521cded576ebedb9169df93f1a9dc461831a52c0297854fdd23554aca551d246de01d17db80d1

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp

MD5 e2236f4df18b245c4428767eb7001bd8
SHA1 d091f299951ca8ade7bf03ae84ca3ca1ab2307b2
SHA256 3d98372fbac56338b06f24aeac4f52cbbcc4977d2f7d86adfb92cfc1a9d5607e
SHA512 8ba872180043d2596328cad3c9eb7681d184a6574ce6fa8c7baef346ad9098a0b8d13b20a6df212fa2590caa750cf71cec99e4dfd62984fc3396d56a29c9aa84

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp

MD5 c1d9bb540a5cf2b8e335311c247bff92
SHA1 ac2dc11f16ec71ffbeee862afd72a41787e6980d
SHA256 3a55b9b3d0226e810e33dea581f40cd634580bffc6edc591e67df7153851296a
SHA512 d623827fe626447745be95e16599a6b6d8ed8862ae30c80226f9434c5f3293f3422f0fb260f417519a50514f97334bf25a84ed51ab9e43f76faa12556e8d36af

C:\Program Files (x86)\hosts\hosts-buttonutil.exe

MD5 6aeaaedda1949deb7c40b09ddfd7ed09
SHA1 f3d35bd0edb197845b96cfda824c96cf77e79a7f
SHA256 31804e16546b6b9d914698c6c5cb4bea0c0a8ba27bcd085abd5a83119f23f0bc
SHA512 24b3ac81b4634c5e81fb6ab28e727d2b99220cc67c5ba84bfd486f4276a10dfc57335a6cd929f513134d04023beac4afe9c152c2f2d2226eab733a54ee558d17

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp

MD5 c0228d656c703062404bb811a2358892
SHA1 fa32581dfd2ffb9386c8bed36bbca46363d5c996
SHA256 d39b7e365de13379ca4dd4f2bcb0f83b4d85c383912cdcdc7fda23ae1b083ea2
SHA512 3f5b07348e5268e1504b394b9c5aeb6aaea6d3c774b3550d170c341fb05f41ce990e973b1f6955175f021335acf540bc813804cd35735fda332b967aae91118f

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp

MD5 96217006f4ed6618c41c27ddc4410a91
SHA1 391cf6d7bd90476855736cb1cc22d857c56e2e0b
SHA256 9983f6e68b7243a97b90ff21e64c30bf28831e7dbfbd1ee5afde4f806a74448f
SHA512 fecd7ceb050c98db247a238c519d28ba42fc62db98b25b30c80b97db153a9ff638bcdd4a1dec71addb8b78cd8250972639e935662c27edf0e8f84f6af2c10938

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp

MD5 062e75c38b5a59b16287e1ee8685cd44
SHA1 3da718a9ae0058642d6b8e3da6e86dd9a527ddc5
SHA256 b7ac77b1c6bba01fcca0790ccc77196ed7ab013c95613c40b302055d96693f6e
SHA512 52dcb232a7658c2ada16d5ead10d28f0c489b8c21284f84b1ed3833f2bd5c6d7be59ec37d7c479bf04d70c86fe369278c3b4ba5bdf7d577cecdf0e4c487f6154

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp

MD5 8b017e3910261cb0c9d914a6abac5382
SHA1 5e4400946760495478a72bd89bba9e88b37af589
SHA256 05e97c8a5777931dbd1a14b3e08c7aab07e4c285b87efa1dae8bce0c4092dbf0
SHA512 2014033ec17b776583f7c760b58d669763bdb89919657a7fc0240059dcda93f36ef5029379ce1a78dacc15f8a893294f2a06d7341fc4647b4e8736f53f5e096e

C:\Users\Admin\AppData\Local\Temp\nsn9983.tmp\temp_file_after.tmp

MD5 db6aedf26ae4c857fc7580611882669a
SHA1 fa53a2e301e3bf024159c99e40c8d72e86bc68b9
SHA256 043263a827d1399a6a67c283c2dae406a399f7e976a95c897b20a5d70cefcd06
SHA512 3872d09b4082cb284875ae318dd2d7fc87d074ea21dceef5fdb7165f47bf4fb67223ff20fcb344a483d624d2198ef189f8916bb42ed64a2643c877a22d7727a6

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:34

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 220

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:34

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 780 wrote to memory of 3992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 780 wrote to memory of 3992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 780 wrote to memory of 3992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3992 -ip 3992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 224

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerStuff.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerStuff.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerStuff.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 228

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:34

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerStuff.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4208 wrote to memory of 4340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4208 wrote to memory of 4340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4208 wrote to memory of 4340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerStuff.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerStuff.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4340 -ip 4340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4340 -s 620

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 220

Network

N/A

Files

memory/1632-0-0x0000000075240000-0x000000007524A000-memory.dmp

memory/1632-3-0x0000000075230000-0x000000007523A000-memory.dmp

memory/1632-2-0x0000000075240000-0x000000007524A000-memory.dmp

memory/1632-1-0x0000000075220000-0x000000007522A000-memory.dmp

memory/1632-4-0x0000000075230000-0x000000007523A000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win7-20240708-en

Max time kernel

119s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\manifest.json C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\ = "CrossriderApp0035382" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\hosts\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-codedownloader.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-helper.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil64.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\background.html C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-bg.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\Installer.log C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil.dll C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil64.dll C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts.ico C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-bho.dll C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\hosts\hosts-codedownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\hosts\hosts-bg.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4} C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppName = "hosts-bg.exe" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e} C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppName = "hosts-helper.exe" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppName = "hosts-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634} C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppName = "hosts-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\hosts-bg.exe = "8000" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\Policy = "1" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65} C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppName = "hosts-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f} C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\ = "CrossriderApp0035382 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CLSID\ = "{11111111-1111-1111-1111-110311531182}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\hosts" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID\ = "{22222222-2222-2222-2222-220322532282}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer\ = "CrossriderApp0035382" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID\ = "CrossriderApp0035382.BHO.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID\ = "{22222222-2222-2222-2222-220322532282}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID\ = "CrossriderApp0035382.Sandbox.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2092 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe
PID 2092 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe
PID 2092 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe
PID 2092 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe
PID 2092 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe
PID 2092 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe
PID 2092 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe
PID 2800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 536 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 536 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 536 wrote to memory of 1864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2344 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2344 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2344 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2344 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe
PID 2800 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-codedownloader.exe
PID 2800 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-codedownloader.exe
PID 2800 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-codedownloader.exe
PID 2800 wrote to memory of 580 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-codedownloader.exe
PID 2800 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-helper.exe
PID 2800 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-helper.exe
PID 2800 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-helper.exe
PID 2800 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-helper.exe
PID 2800 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2800 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2800 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2800 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2800 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2800 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2800 wrote to memory of 484 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2800 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-bg.exe
PID 2800 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-bg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\setup_cr.exe"

C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe

"C:\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\CookieDbIndex.bat

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "INSERT INTO Databases (origin, name, description, estimated_size) VALUES('chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0','crossrider_cookies_35382','Crossrider Cookies Store',50 * 1024 * 1024);"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\CookieDbIndex.bat

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallerParams','{\"value\" : { \"source_id\" : \"0\", \"sub_id\" : \"0\", \"uzid\" : \"0\" } }','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallationTime','{\"value\" : 1730064763}','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallationThankYouPage','{\"value\" : false}','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO internaldb (name,value,expires) values('InstallerIdentifiers','{\"value\" : { \"installer_bic\" : \"4AB09E47A9604B77AE250F7A9AB07AB0IE\", \"installer_verifier\" : \"398c13b930b46504151fef474c344b7c\" } }','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO internaldb (name,value,expires) values('chrome_enabled','{\"value\" : true}','2111-09-11 21:16:31');"

C:\Program Files (x86)\hosts\hosts-codedownloader.exe

"C:\Program Files (x86)\hosts\hosts-codedownloader.exe" /installapp /agentregpath='hosts' /appid=35382 /srcid='0' /subid='0' /zdata='0' /bic=4AB09E47A9604B77AE250F7A9AB07AB0IE /verifier=398c13b930b46504151fef474c344b7c /installerversion=1_27_153 /installerfullversion=1.27.153.7 /installationtime=1730064763 /statsdomain=http://stats.weservstats.com /errorsdomain=http://errors.weservstats.com /codedownloaddomain=http://app-static.crossrider.com /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log'

C:\Program Files (x86)\hosts\hosts-helper.exe

"C:\Program Files (x86)\hosts\hosts-helper.exe" /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log'

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\hosts\hosts-bho.dll"

C:\Program Files (x86)\hosts\hosts-bg.exe

"C:\Program Files (x86)\hosts\hosts-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log'

Network

Country Destination Domain Proto
US 8.8.8.8:53 stats.weservstats.com udp
US 8.8.8.8:53 app-static.crossrider.com udp
US 8.8.8.8:53 errors.weservstats.com udp

Files

\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\InstallerUtils.dll

MD5 156e15e3dfcc2f2ff2dbcc373fc11f53
SHA1 5ff52623dedd7efefac54dbd31b5d1bdf0f3e799
SHA256 4618571c27877641f83bfb312aa5b66ebe4a8954dc898ce4e640aeaea4dc0693
SHA512 d4930f0b49dae5386a92124b954d1b82921e07da2a9ffd9d854f6ab6f03473e591d3b67f0aa8ea19f83b480be705d829797e62825fda50ffb074bd4734b265b4

\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

\Users\Admin\AppData\Local\Temp\nsy8FF2.tmp\Hnaadvbqr.exe

MD5 e92df8cf0d3988c26395a390df381024
SHA1 2ad26f6562595e6e16cf2bb468213099a7583aa1
SHA256 c4927a7adb6f99589eced1b4a6e4056f52245ae3015b927d70622121270be5e1
SHA512 add4d7c17bebed385024360d59f72e86d6af8bfa275f8e76aedc57a318828b2482ea3b1d272a98bca337b4bcf79aa6621cf1e00efea406f92e04c1d7a56f098f

memory/2800-37-0x0000000000540000-0x0000000000550000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst92DF.tmp\nsislog.dll

MD5 e47100b70748fc790ffe6299cdf7ef2d
SHA1 ad2a9cd5f7c39121926b7c131816e7ba85aeead2
SHA256 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144
SHA512 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log

MD5 1b5bd3e84b170a029cd82a4d32916de5
SHA1 9f633a596353e7168b592281b0ff8ec09afaf687
SHA256 27427fcc3cb6a43d01845a6beaddbf6351ba52207351b696a2740c29d2853c39
SHA512 53ee5913dcb36b972ba9e4f359872efdbec363f4f5d5459ac3d5b23458b1105b4cd2080a31be97b679c3b130014886a34362767b5a2af273393e7b541b9c72fe

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log

MD5 5c398638abdd0c5eaf70548986d4e325
SHA1 77be6ed176ca930e16e5f2c2d34889af1d7f3f48
SHA256 139f83f84d2cdb01f8872d6edcd5ba98d7deced5efe0bab133fd965e93c79f54
SHA512 e1f52ca3c3b6d0cde9024353e983a8644638f5455480405edb267dc30c856f5af07f8fd76fbde017f256b22de85f2c5492af94c93ec25a38ae005fe0e33a3dbe

\Users\Admin\AppData\Local\Temp\nst92DF.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log

MD5 335b774f630a4e777dea3b77acca7dc9
SHA1 0803525a258ad80f9d204b1df480e5c9502dd7b7
SHA256 b95eb0d9e203755d4a101df25806cff4d6cf6280343e42e6267ff746ea9ffcb6
SHA512 d49af8a01f79073951130afd90451a652bfcbba5efe8472fbf1cbf14172dea480621ab537bb9f9633e2f5a629ea13e9b1ade790beced1d6660645f532293fa54

memory/2800-224-0x0000000000540000-0x0000000000549000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst92DF.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log

MD5 9c4773b588a51fe611e38039c0953c28
SHA1 ff3b1dc6a9f6afd2eb50864a534cebed4045a902
SHA256 0abefbe4c5b74e1327e0df020df095481ac6af8e58da67b73c61e5f4e52afc8b
SHA512 cdabae36824e59c89e13963e53469015276c1aff71b45610a540ca0141c7a9ebd7af7b4f32be3487ba08a8d851baa3e3b87f0c63cbbef84efd54277688e4157f

\Users\Admin\AppData\Local\Temp\nst92DF.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log

MD5 2ab86d169919fcac862eb4ad08e1dd57
SHA1 3baa54024c21045c660967ef987358043bf559fb
SHA256 547b909d0c59fabc30668292589b28c6ae62fc2188e3f3f92d4da6346c7397f4
SHA512 a3fb5aa45e2c344010744b1ab5256fa42052f778a681d6b6143a8a7479ab145d47361eaac7e2ad73e611507811b5a1affe84f4b24a82ea8948884640875b512c

memory/2800-262-0x0000000000570000-0x0000000000580000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst92DF.tmp\CRNSISPlugins.dll

MD5 e95a1945663079496ac8f6374bf08d44
SHA1 b4b35eae891b2e06b1f559b12587b6ca54c3e82c
SHA256 d22c4dba24a3fe2fee0e5e22bb1744b8b11e8e3dd4190267a9086c9efb514537
SHA512 e4140888236bc2759e09941c51f8f97be2a73ab996c60e4dc6e25a61d8e59f613f90fc9bb8c073ed0d463c0f91951fd04f20d272ec5383fd0ad2d5450abbc972

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp

MD5 db6715bdf5b2b5e760fff6f6879f20db
SHA1 aad3fbb9da6c7515c4bbb8602362bc03f6b0a4c9
SHA256 65952c10bd4d364832de4e56c2e161501758e88fea26df146e3a28d42b30f44f
SHA512 e3842ebea66e4f696db71b57ff6b4714d68acdaa8b38e5a83b3f4e086c45a08a5a47f917a6688ddaa21de97e7b91e157edeefaf4366833ceb286f390e093be64

memory/2800-391-0x0000000002F60000-0x0000000002F8D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\icons\icon16.png

MD5 5fabc6d76523647c4b48b51fbd517408
SHA1 4d009569658443968cbca3516949c9632cbd25ae
SHA256 e17f7fa24d6ecd81bc2abb172a0c1eeceff830867ea45728eb93918eeb4c607a
SHA512 a6720e4ff1a68074e76d3d744bd45584f76c4b209a6b3badc82361dbb30b19ff1c5aeb30276b9ff991f3069e37716134400ae2fd85b209590db5a2e0ef3f2bde

memory/2800-487-0x0000000000590000-0x00000000005A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\CookieDbIndex.bat

MD5 4840b25bf476a60da7cddc8689b7804f
SHA1 d1607e215a977aa7dfb19965e7ab0da7d9dff053
SHA256 a2974d24b3fb41279fd414a3f87ec3e71b157b1870dddb03c39bd2d577420a5e
SHA512 d795c416a31aa62ec6c109d146c046a1f306c6cf6ca15493f8b4a89efd1ba0e27afb6f408741127f4b9be2801d66349bb8e465140cf288949d03f1ac77328915

memory/1864-527-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\ExecDos.dll

MD5 ebcf9f71d804abab3c2e5ce4c17dc22e
SHA1 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765
SHA256 d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993
SHA512 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064763.log

MD5 3d0b076eee213fccb356b95058cb2ae6
SHA1 0665fc7e2e1a60b13c4db7c82e1d6c1baecc83bf
SHA256 fd6368a79e9fcf9ea31ee88a5a93100380067e516230669d2c0367105232653c
SHA512 1a6552230692389844b10a0ce9a3bf236cde4e6c7a47bb5b8e010cc4e30b34a375ba18a4e7cfa8bfa9f7ef1c1527dff90c5f0e6b7e31ac4a3e06f2bc35c6da89

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp

MD5 8ee8dfabbedf837a740ed2d1f19d6768
SHA1 f9462110b9623b63116387a3be9cf146845538c5
SHA256 01fcc24c1d9d68fcb99b7bccc254e660d4f01c6d0f5bf37af3ac0626912ae9d1
SHA512 8b6b802ecd54be30bb1ba9907912d81de174c4fc8470533e9cf5380cdfcda1c62a4893ab75108a598508791e540b92d592a36757ca6e3f9e66d479162b929c74

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\ZipDLL.dll

MD5 2dc35ddcabcb2b24919b9afae4ec3091
SHA1 9eeed33c3abc656353a7ebd1c66af38cccadd939
SHA256 6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA512 0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\extensionCode\pageCode.js

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon48.png

MD5 12e783f1b55f54b719444e958d0f654e
SHA1 b147828f4af4fb86da89b0219ea7ff2da1d84a1c
SHA256 8b1bc99525aaa27b37216beda75ae7b457e0d8792b91506a736e7415f67788f1
SHA512 c44bb389bda5dba024c57cd4601c3dd5fe35a992c973eabd63aba4e8fb1e221e31ae06ad6e459b6c808f469fa14163722a11acc0624f43d797e5377e5e4486f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\button5.png

MD5 8b1eb9cb80417ec0022d278a44ab1dc7
SHA1 c49eb73f79e70b8ed96d91ef62f0bc344e41219a
SHA256 e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6
SHA512 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon128.png

MD5 68447a995095517de966faaaa441320d
SHA1 4229b0c045b7bfd1546cdc1f4e38c68135326fba
SHA256 f4223da0667e669eedaf4878678dae1637dec401ff7bde29dd56b8d1fc4e8d3c
SHA512 f52164a45b182c10bd36dd9fe34e5c047e8d55b6e86eaf4726efa40ef159ef6f586066b1660f45b2c6bd987f8ca90d0039e857e066db209837d9aaa1e8defe65

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\install.rdf

MD5 d9714eb9c7ca8d6f12da011cb85a91b9
SHA1 083b561967c9354264d1eea9fb5c7e0bbe41e81b
SHA256 167c43e0790c97ce7d1c76969c37a8e314016b22ec5d10effabb7bc17d5c6499
SHA512 70cd919b42e7b7462261f1a46277786f92152ee3d9d07b021b7c44980e72051c2fce60a5488a192be87941a22f6563b9f5e475ec3510e097ebcea28ce1aebd44

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\locale\en-US\translations.dtd

MD5 aae23d78c89bb64103e8d668bff80223
SHA1 c0903224a450ec3b506ede665b2fd8624f94aaf6
SHA256 10762cb296f01536427e6592d4c79b08ac48b1c45d12e7b36aabcdd3c1bd299f
SHA512 79101b2fcaf52733b9f29607f15c4679c6ebb9edbe9caa44b3e138333737b5b1302aad9e78a788601b9d8c8e7355fc85e02b2d5f8b00c32cafe0d54a5c7b6d1e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\defaults\preferences\prefs.js

MD5 260967b62a302147d44c771cdc3d2c9b
SHA1 fb83a8ccd8facac7c9edba98f6ce04274de8e903
SHA256 86cc451482895a5969813477f72812ae03fe462c7a11fb6f106d67905565f5ae
SHA512 18ca7c6d42fd4fa8f63f66df11b1f6c543c23420e11aa754d272a96e58a6665f7ebfe02d208cc3f92726998d4cecfa23ebf39a0e6ddd897b4196fd6a6172a84b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome.manifest

MD5 ba60b7b3decd2b1e30e55e4301e20de4
SHA1 61ee703b552a8826fe1086ecc5abee4d45bd92c8
SHA256 05c4744db6cacb64b25a23eff0c748ac24e6fb74e2791341cb26e154861e598b
SHA512 8893279ca4f4dc3ac4f4c91da402a759663b2aa3a5e2ac779be03fb3a242054d80c951c4d103faaa02abf103bf58d173fc50c417b0505cc918190fd718280fbf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.xul

MD5 275186e0a6d4ddabbf8bc8d1b00add5e
SHA1 e4b57588e9be7de99e4b057801977f3614bcbf9f
SHA256 9a36a603d325f00e102539ec8a5409b1b65318145fdadf70bdb8a429af471fd2
SHA512 d06d14889c105e5440232ddebc2bddea8061f6e040fd35a46c4a1858d6fd60d4397729160f7de0400c3cb556419fe6b3272b5ec20368a6cb0f68fe1589ea2e39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\background.html

MD5 fb162e226ced64d0b4d6e53ed9f82eb9
SHA1 2b1d6ab496785d96ddcfc712a942a0d1de8ef018
SHA256 3f20ea55cdb879a1babf8ac3372e2cba7bd21586017e7e22dd49050cb1d03140
SHA512 864650849cdab6609f2219960e04ba33a1878bda8b76c326d08fb5ad5410b2a54e9c84c5c1a22efaba832e16e549fc2a7f59421b65db9f9566fc7c118f44daf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\dialog.js

MD5 deab4dc957c13108352c4f014b242353
SHA1 bc63ae0c5744a1ad67821937873d1829ed64bb06
SHA256 caf871b1b90ce840acddd2cf04237dff5d3a992dce765a3996f630c669bd728c
SHA512 d1c59e171fc40e531e2a70542688d0c6d300e2cb9b68bef7b88d5ad35c985e6b1773c437a746215dc63eae185307441f804ea265ac98ea842cb0caf58056e784

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\search_dialog.xul

MD5 68e04f0a85d4cb05c54f268e5e59fdc9
SHA1 2a465323fb0d697226d481be9c599f94d62fd150
SHA256 d61aae08a32e9987caf41d35bad06f2a2cee4bc094bafca7afec0648a2edd1d6
SHA512 2853de596d4a669fc6e13646524646277a74743c81077f1ae6ed40d1972ee621a1e7522b1a017b55c1cc578831503b864020d26d1d992c1aba33afa4d34d5c9a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\baseObject.js

MD5 aaba4db5965550fa33599a2888151785
SHA1 fb472dd90e55164f05774d9778e97a644ed2628d
SHA256 b0e6494d211fdfc5b0eb3f6668ccbdfd8f99d065440e4c60776e32e1b574ff44
SHA512 19d805ec4989b4e9eff4c855c4ae871dc81346f801392e06229d0e359f96e16e05108e0ff4c6207f9fb72c40a9e6aa9aef4069c7c730bd02c316b8f4d597914f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\main.js

MD5 a5be5ea81e0b1653d3fa31600a0a36e0
SHA1 dacb7a24b99dfb9dd4541b00e4241db7df7a219d
SHA256 ae4b7f033e53b8887c054e25fa6d3e7d754e2c97011632940685c84011e478f4
SHA512 39c69767688b0e483844b3b03a849a5075e2ae520559c15570b4509db1d125c2db43e7465193d57b9b7773c543c1e7c3dcf9247a402da7c8f0d87790226799c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api.js

MD5 311200eb1ab011b88c0e9545a4d2d049
SHA1 d22bf13518c77d46e45d556adf6244a251ccd3a1
SHA256 6e8e5a4e707c5a0b8146387b44c66cdbd33a6e48c985e3800f9dced605f69545
SHA512 bca612da6341a485b4fdfd02197f02347b30e2b7cd0a23ebabdae6140de827af205afe59c62ab50749880593358e59a238d627523ba1fc81fe08cbee54553939

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.js

MD5 80297932a5645e651b2bc05c65cb8cf6
SHA1 dfb36a890b134fc09bb003c583f93c978e717f7c
SHA256 12bdfbb75c0b57ed66756b12d52a8538ca83eae7f5c5c3574af3f24a0d38a78d
SHA512 f5e97c10ce845990601e0d1889bc6173888a971297792cf85d10f6fd77428c445f81fff56af0576bd365abb22583d43dbaad3cf958e01596bd904b72f893a275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\browser.xul

MD5 a82c0de0f37da22a6e07ff2077e8f318
SHA1 ae361ae3f52c2f7240c6275a6c40166796107c30
SHA256 d0ef8d510db101253558497c1ebb21410da1f44653d59362cca22e55b5025172
SHA512 c3e8917e8f3eccbd9e2580edf7c009010aa76446d92f8cbf073b4072e483187b413580ae91d51abaeb7f8eb6eb8c01bf914c4119a1ba1878222ec03bce542bff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reloadObserver.js

MD5 0587e06fa0fb578c220245ddb95f7411
SHA1 52df8780d25418d6fb90725c9816080e01bc5024
SHA256 9ed7606361daf6580e6ad953e7c60e33ab4dfb0e07087c577aa4c9475276ed4f
SHA512 0a1ffc4cc91ba10c0998f7f574ae1f5a9f2010b4ab62610d780ff0ad72078f9d610a1bf906e5e8270d6ef68b9cc3d439a333757ab7e9fc32609cf2bec4271b78

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\searchSettings.js

MD5 b1d1b15628eeab4bd8ef82bea8b9110f
SHA1 845cbc7fc818ed1879cd3f53535fb1a0c951e2fd
SHA256 594d3976d286423db7a94be62ad9bbc5ca9d5144fb94c7f061f4a2e14e5b82f5
SHA512 6900766534d55f79c75fc53a7acd156ae4d53a336ef79ad8d8fb2b2be45c92233458fdfe971f0502b27e83848b35892ef58851b3b39e90aee1ae52fbf337f159

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\xhr.js

MD5 b4a678cc9885730cd03de0d100bdcc25
SHA1 b0771a929a9624c256b45124e6f0c999707380e8
SHA256 9cf418b2562821adfc68368a469d843e7dee0f0d087a45866c0d8279c52fcb29
SHA512 9caa0eaf2eb874d683c41f37265232630168983969e2a64dc666add6a4c3c5e82aa316489f7a3b383da5fc52efa4ea705eeeca39528c1c1c7b9dc01058e3189d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\prefs.js

MD5 e7ae2f5a14532b1b645d14bc04e4a12f
SHA1 592ba96aa9d7e448fe67e92228442f9312c1ae32
SHA256 6b97194d415ded6da5abcec8566073bc3714d2915ab48b2f96e4b5ca72043b67
SHA512 08cdc93db5de34e288449096f7c960a4a788ca73b436e2769a108fd2a479e59f26d79605d19422e73d67ed623a63952ce8103c166e68bac2ac78bae03192db10

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\pluginsManager.js

MD5 a92e9ce9e1e0ad01baa684c419ebbb8f
SHA1 850271a386aff13b2d2f16d3e70778cc8a655519
SHA256 a00e24fe9cfbbba7fb75c930449d86250c96644755fa3c78324fd7aa3eb04f9a
SHA512 469819873a662072279265323d2c5585137958387599bbd10c11a12c0e924b71232f23714b3e8f1690d6cfd1d27fd772d11a4cd3ef8afd94db9a7eecc228cb17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\console.js

MD5 9844f60e1179aea762ef53ec0d542fa3
SHA1 25cb21241d80f8ed03dbdb1b3c1d6d487415acf0
SHA256 dc619581ed2a7ef130c5bc780ce0c18bff78ca27ce98a0689bf3178b2b2967a5
SHA512 d40b6f2b59bb32dde9309bc9533052559b17786afa899de5682f2f3322492fbc583323e84cc98cbdcf2f46d1b6767e71fdddd68dd9eb695c4d304de33836fed9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\updateManager.js

MD5 9fc11c16a573da4dba7764fc111a50cc
SHA1 4035d7a0a8383e1b93d64fc161e3274d5f428ae3
SHA256 5250fe36cd0617f8497a8f2da1003fbfebe97b01f26f030728a26d33a438fbd7
SHA512 060cc213c87cb7f86809f8d533d677171f798e5a32519f0467e4ee2605319210e87b666c784d49e490326595d482fc37ca840ced537e0b4161ebef4abd99301f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\registry.js

MD5 769dbc56827458c72b7ad8098c91e7f7
SHA1 e8dbd8c650c6e35e064bee32e93200f713ea94d8
SHA256 2ff6758a857e848cc6d30ddc02d18000cc062048b1df0b9ab59e9b9cd08107c5
SHA512 36fb166d5f74cd17a79338192e67fbc1ae18cb68a9c0422513f1560d6c1b3d357e6a940a1cf5128fe4cf64dd199aa5c4bb7689d70e6887dd7fef01cc7f3d58aa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\delegate.js

MD5 eec92acbcfa9d28b43b64aecc9e6c1ee
SHA1 d4253a3cd8810d575e1100c58f088d70e063889f
SHA256 1f3b9ab2bad072151166127c9bb92405e031ad8afdfe2f9dd5ebde86ccc0236f
SHA512 62f3856a5c2c5e408e68f2f4266a86c9f49411e92190d9e865144ebcae0907a401f2ee808bc7a8cb135504997a6afc71b7f7e85ff18c68175dde88b0e1b67b93

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\consts.js

MD5 ef2e8bca169a0e83e6e1a1daaee07c4e
SHA1 a78279e9bd75e866a18f36cafdc4e4385d88610d
SHA256 2f39c546d790606df3c1885603984d2bfc94965222b48f6eed74447552114673
SHA512 7e86e8447570714ad1975617c159208d217132857775e465d12f9bd7902b7e65757c621841e7822db142ff045ec6a8ddd07767b92a845e3d3627e0acdf94b672

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\progressListenerObserver.js

MD5 3e9a68cfaeb26b1bf7b39037a5670d38
SHA1 b6633a830be19b218af576417d0fec7ab5dff435
SHA256 96474c2cef1c5bc83df3d8bfc19d4853968925ea981b0a5c09b160fc15b59f18
SHA512 d5b85a1df2e678e70d50ab5e7cf1e84707288b8ad80327c9eb9f65b2c803378268adf3f44a43078080092acfa26611b0dced54c754ef0bcded03fdc3fd902e17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reports.js

MD5 60fd9774d8bb9d6eac945da719e68428
SHA1 6f04d94ad0c566f23f432d3457e8116c0f97c119
SHA256 0c4cc49edbd5ba2c99efb98fcba81d1390f87d1c6a7a749f0bec4bbf2adf0e2a
SHA512 20b7fc3a33eaa5042370965c2540fc5041ee3d188c912608e7d6c8d0632993c51dfd2b4a53e2b4ce1f02ba7b2874e228e968780aecf4db6b6f7c71eccc5935c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\installer.js

MD5 fd3f295f1c17b33d7a80103564a7f221
SHA1 0d67ce68dd98f31c3c8c2152a23aab11b6a3fe28
SHA256 cb89a5f1f1d1bf601c8e257562287e5011cb982dab2a673658eb9c6f9065a9bb
SHA512 d499507d6b98a7247739d8083048317a133e625d57c650c1993395f753c9ed95c832dc792609b9d632cad007f142021c4ff0c1882b2ccbbcee4b70ad985bad1f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\IDBWrapper.js

MD5 44bd338a01fc265a1f48feb6109cffd3
SHA1 21a16911d1a82b1ad847b7a9c94f95127eefca60
SHA256 4c2e7321e1db1e55ac0d22934c916467d45767c85a65843b942891f983102da6
SHA512 9039535ed0910662afb0148598e3326bc50641887e4dd8907734cf0d1093655ee3c481c0d2f7a5581e5846cac804e1c10c33b896f78895c858076b2c605569c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\httpObserver.js

MD5 d84f78673765cd850eb1600fa60bfeb1
SHA1 bbf3b8f1a8c03b4733b326b9a36d02bb55902620
SHA256 dcb0ee2e8733c03f33347148eee0c60d910c0bf511c75c959b0e46eb9afcb915
SHA512 8714f8df6b813bc4d6ed78a1cb6697f2aea3525c3c48961b7e4feee2b43a601e137899fe88804b451c3d104a9d9d405a1daf82b7a510cf8bf7f1f38c22e94af6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\requestObject.js

MD5 58bb6d11d1eaf46767cc60de67cd9454
SHA1 d7c575929c2d14b8cc155879069fab443c44eb3a
SHA256 4b5d3e7c0a686c55dfdf2348533a6aa8ac2a768bad01673bbee717a92dce44b1
SHA512 41d1262f1b515f6990ba0ac41d446230d49873ecd90df6d14d6ecbf767a5aa923d2ee9405ef9cf0c96a9c323a1da125d84fb7c26bb1a19a02a8b05a01e725be3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\uninstallObserver.js

MD5 1f7e4557cc0450b1b59f088534a972a9
SHA1 09ddb030e2634dc6cb6dc8bb99b035e35fb20dbd
SHA256 430d1975bfbdc7f878e442a0c8f9cf9d0a3a1c3a5752b5b13e226e11b2ba6aec
SHA512 078ec9639458bec7b7de1c399693b9004d9e6eb354dc130c65aa8cd2c3e78325f44388024c931e8135c90e92a3f82641ef8d2bd3f45c1beff75147377bcabafb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\utils.js

MD5 7f67b1f11066759f19de77335aa9e162
SHA1 5c689fbf820dded68beb78a0695569ea6b7a9e5d
SHA256 89e7e4c46c456bf2464a0997d864baa564da84eaf59306b153c38e08d643a00d
SHA512 7460af03a7360682481a8673a13cd675d88a52a5d565d8a84e379015b3355ef5e7e94e75c53047a7f3993478014aef457e85b6cba606b6af41ed3f7a434e676d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\request.js

MD5 7188f8b638a00a897acf7d6db9381c8b
SHA1 8394559d7791715741cf8f1dadebe7b7ad15132b
SHA256 306b1301a4f737d7a7995168a969bc730f26857a39949fcd4899d1dd0a6a3f9d
SHA512 dd950176cbe599602b660b767c1a85fac866b00d5b025886efc01d3e488e7b4e5392da3ac4b73956d753c102ac297373e0834022ffa06f0bfad07c78c6c833cf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxNotifications.js

MD5 2cbb07727f1ad5480752694ba113854a
SHA1 19c82a1dfcd0e7a8bc442ce22ef268d699b9e674
SHA256 db1a27b86d4a1848cc0e8c5f1887ece15ebab250bcb025d1e0aa2d3c029d9b40
SHA512 9ad1b14c3febc6c74474680c7b6c02d8294f7f996940d4ca0d448cabcf2fe7f15249aae5fc67184c49d4a82bc236690f85403746932ca6df4e93197f209f1291

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\message.js

MD5 8a07017e0756e912aa9fe2fa7f722456
SHA1 ecd41edeea92e2e00f2b518afb1410bce30792bb
SHA256 1501c3e6e1b668a191ace44009710e603d9f036e3d4dc405654162f65674a953
SHA512 4e3ec3e61114b67a3c42c968c1a88afbb0b5d1119f98140991147e644463e7226cb2d7db17bdd6980ca206f6ee559e2fe775a009ec93f29fdcd1b9955b713123

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxOmnibox.js

MD5 aee13ba60482e203c4bfc871339b624d
SHA1 a8c42a0844cdc5f5cd7ec7ac033c7fcd24ca96ba
SHA256 cb043a814632118b25b305ca6cb0abffa1e10a502df054f2a17554bedc299913
SHA512 06b3938eaf16459456704e8edc12171786954f707fe166820ca4fffa35c9e8724c82dcbdb88a5f0b24d842df40c041d6acec7ca10f4e85fe5d83b59132dae544

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dbManager.js

MD5 780b66c8196bd869af8eac63d695d9c9
SHA1 c02d465ce06fdc40e8adba0e463fa3b609fdf56a
SHA256 aa61b53209da3e4ac51c69326d7d31168cd14e34808d8c71784e804aa970e486
SHA512 54b8e3adff18652cdcd84a5759125d061e50a0f074ceac89a31085bb31096308244824e24980330b5c9d0f68c52a95eb85b3bb2ac36e3e5645bf2e3fcce71b70

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\background.js

MD5 bad0c2449513ec4ed9ca13eb55591aa8
SHA1 e260a391e5dc7913ab3b81fe8da607ee43fe45df
SHA256 e5be4a0d2f826fc13592de1befcab2b639ba169b3c74069f604dd16739d20779
SHA512 a545d32c4ea9313a30bca7c773f8c9bca640d98cf73fe1487c248ccf79d0cd916b122a0d71e5699343692cbcd3c326f10a0708a7263e794d720023d2c4e5c0eb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\webRequest.js

MD5 e8a80e409e40199e3309e5d37dfcfeaf
SHA1 b74ce420ab51a7af5901cc2f17b3ba19ff2b847d
SHA256 8e82ea7cc89b91e80b5bd904ae3efbc34daac4374f1c6089fa25ea9ec2ece2a9
SHA512 4e7ea24f342197675e1d1cebc61c16aa3173bda6e96d616d97f8978b180d601294c1c82f845209b1f5b3ce07dc71c1e75c042fa476415960cbc8b7017e6bb316

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefox.js

MD5 a1cd4406d7577807a698aa3995046192
SHA1 7dc6d8b6718d8e3042f9b959939eb6d1caaa4b57
SHA256 5609ed9fa249166c8dafe7eda048c86486574445244d2dc509fb617b87b5d7f7
SHA512 9421c2310562ad6f9026d7f710ebcfc4957022219e972db3424b5f926a7a5d5e85b8cc5d0ba47c0214d2514f90f31b32ed77f887b8279fd5e90b74ffc341768c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\asyncDB.js

MD5 e377ef2d419e60d15b422da1295201fe
SHA1 92a1fea50dbb2853c5ebd95a039a5fe9ffae8c02
SHA256 3277002ef6bf5cce6c956dc6e0638c6091351b723023bb63416e60a034c1fe17
SHA512 cdca13250f0658cb17d217d8b898ed41ef256b8829c1e572ea2b966e6d5c23ef122274c192147e3387b4503a4230543eed4dc34a30fd14dbdb6d93b745b88626

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\contextMenu.js

MD5 ce25d7dd7d7e34dc5b92d25861cc2947
SHA1 6f459ce6d14b57ff1f9b5f9271a29a7dab59f880
SHA256 d8a5816494dbfc96b41c00913f4d61c30ebafd454b5d7107d3a876a2dd1dffe5
SHA512 cb0f3b6c24da47fb8458726db4341973e3f6ea5f738988b4c084493605662a0de330304f3369db0454a48ba28e9381de5be2a23e3f70508b19dff61fa9f81d7a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\fileManager.js

MD5 81b4df8409320d739e70e9d4cc4c62f7
SHA1 7f5e03ed6d5d66fb9a0d052761731d302df21eca
SHA256 7817b095e2386aa2aeafd5a7c3b0b974efaab2c71f0b3833ad344ff6c80d1e08
SHA512 c0839504db12cc2dafcc127cb0d25e29f1393c3d7b7ef6a74d0e5ea9656b9894cb7e7cd8c244eca2fa00b1df414bfd0638c22d37cb1049ed51e905a966417720

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\browserAction.js

MD5 60c4db63eb127e64d24f7e9f37e43efb
SHA1 dc799abfd6c2538d0b37e85936e9b80bac02badd
SHA256 c11736a73ed063efe51c0fe49d236bdf7d3972ede001763749ed060b1b028581
SHA512 0dc9a6349d4bdbb533b4018ad768ba26051477f50a7f47d3ddf0b921bb05176d4133a2ddac2f1013df468f130aeb27b950fba9e6a8367ce206d8e8c8f67bc0e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dom_bg.js

MD5 de002d9604f09b376b85159f289b75a3
SHA1 5c6c4ad17b914118f387863ee5982aa52ac34c09
SHA256 0e095eb0e16c343ac812721b182bea66498fca55ecd899ab5eabf9e0afb792ce
SHA512 a29071d597111b9e7335e5dacbaa19715950fe03072eebdbc15bcdd2021958d30522e4af00fa711059d0337f4af4c4913664ecf266177607228138c4cc2157dd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\tabs.js

MD5 7d8a2c2c54f33325eb30368eba7564df
SHA1 72e5449067e0c85242cb28c8069cabd547908d50
SHA256 34989f3c20224496c68d06621e67628d3ab4dd5d558175593710c395369121ed
SHA512 22ff2058cbd8d2eba7ab56f6990ff9184932cd4aea29431a971d5e947758a69438d041b1cf19b5fa1942e83b14c6df54e625d3c69a03149dab40ee407134fc91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\popup.html

MD5 cbdf4e688981915b95a3741d0c9d5fe5
SHA1 e4f188d057f04638443eab966002e7feb63bf61a
SHA256 af11066b4ff2a7d851cf85d97b655557240303c89b1615ca0ad753926af3602c
SHA512 9f83da8364e3722ff64c6feda4bd7acea4bebacce479c01e7be7ac59298c0907a3a6041c8724f40e8fdbd1056cb80e1450676eff581b1227b22a4747083ec451

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\update.css

MD5 36ab40a4b899472d25a3c872a7f9ad4d
SHA1 c29870d67d954de9c5c32783ce28cf7f77d13ec1
SHA256 4f0795bbc78e195bd977cf489c05543ac86bd10f95fbb83a5db11b17c7d7f664
SHA512 9626a7a269acebdbcacd31f4d5e4f70e57873cbd8eb4e835b2d4b52c863fecf6a27f474124b508a0fed8614bc6e3165be38b0930c7a96326afbb23343cca514a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\skin.css

MD5 4bd957ddde2bb2e537060afcf55f1f72
SHA1 d0d4cb8fd259bde8e297fb68326c6a4a1bd6ce4c
SHA256 f3fee308a875a4d7cca4cea16ce548dd652df2f10ea8dd2d1aa11c2ecdef4b0f
SHA512 cd103bb1b7f1ccb2a483d8c974150d5b32676616d325564615da1e09b024e821a0df4a1e815f8b7dc7a6fd0eb1e70156bb186bd452040070036f96958e869d92

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\panelarrow-up.png

MD5 752c26453dc2fc989ed46f5920328edb
SHA1 a064ccc009ee36c20dd5a8aeeab1a335bf82bda2
SHA256 758210b28ee3298facef83c81272ef4121f337392ef5bdd44e47222ec4966beb
SHA512 b0c3c58ca36e7dfa9988bd68a0432b01db020420e3406653ae8521cded576ebedb9169df93f1a9dc461831a52c0297854fdd23554aca551d246de01d17db80d1

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp

MD5 e2236f4df18b245c4428767eb7001bd8
SHA1 d091f299951ca8ade7bf03ae84ca3ca1ab2307b2
SHA256 3d98372fbac56338b06f24aeac4f52cbbcc4977d2f7d86adfb92cfc1a9d5607e
SHA512 8ba872180043d2596328cad3c9eb7681d184a6574ce6fa8c7baef346ad9098a0b8d13b20a6df212fa2590caa750cf71cec99e4dfd62984fc3396d56a29c9aa84

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp

MD5 c1d9bb540a5cf2b8e335311c247bff92
SHA1 ac2dc11f16ec71ffbeee862afd72a41787e6980d
SHA256 3a55b9b3d0226e810e33dea581f40cd634580bffc6edc591e67df7153851296a
SHA512 d623827fe626447745be95e16599a6b6d8ed8862ae30c80226f9434c5f3293f3422f0fb260f417519a50514f97334bf25a84ed51ab9e43f76faa12556e8d36af

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp

MD5 b1f30ce7d2d156fc327d7c6ad834f9fd
SHA1 282365a98e00aeb832cbf025886768dceb1398a7
SHA256 8f47d496d92f92c8ee15e25bf26140bf0fb9fa27d72a38fa0604a56f3028a832
SHA512 3d5ac114d48f56fe4ad64e4e2cd5045f8d5228081c78e78b6abc9243e12eabd9b26baf31c8f9202d4e0cb3b7e4621271336596fb56caeb7d83c8be3309b8b591

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp

MD5 98f9cc75bb98314644108c53f7a4a954
SHA1 0094498b7016518da8fa5f1e1a457f43fd7ade9c
SHA256 761bbdceb0f905656cf9e0e3b979e0b355fa61d44084bc02e113117e8c7931c6
SHA512 bae234bfa0d175b21af8db35bed5e6db255565700de3d039dc040113d5f4022c7c6bf08bb7579b3bab39eb4dc255a74723c76e510a867a87c053ab0e200d66b5

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp

MD5 96217006f4ed6618c41c27ddc4410a91
SHA1 391cf6d7bd90476855736cb1cc22d857c56e2e0b
SHA256 9983f6e68b7243a97b90ff21e64c30bf28831e7dbfbd1ee5afde4f806a74448f
SHA512 fecd7ceb050c98db247a238c519d28ba42fc62db98b25b30c80b97db153a9ff638bcdd4a1dec71addb8b78cd8250972639e935662c27edf0e8f84f6af2c10938

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp

MD5 9c571c2a40ab0f32992324ca4967ea4d
SHA1 bac78782334bceb3c8dc7ee69a509c184737738b
SHA256 47f6683062d28a5099d2fdf756f9c3164122543a1d30a4fe8e93b56ab96ee30f
SHA512 223472ff1be723e1deb64ede18d872ffe779651f4c844c1285749adfcb7c06221268a44a85fc920f4d74aac063b491ebd4b3975e7e954898a63fc5e15e774059

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp

MD5 8b017e3910261cb0c9d914a6abac5382
SHA1 5e4400946760495478a72bd89bba9e88b37af589
SHA256 05e97c8a5777931dbd1a14b3e08c7aab07e4c285b87efa1dae8bce0c4092dbf0
SHA512 2014033ec17b776583f7c760b58d669763bdb89919657a7fc0240059dcda93f36ef5029379ce1a78dacc15f8a893294f2a06d7341fc4647b4e8736f53f5e096e

C:\Users\Admin\AppData\Local\Temp\nst92DF.tmp\temp_file_after.tmp

MD5 db6aedf26ae4c857fc7580611882669a
SHA1 fa53a2e301e3bf024159c99e40c8d72e86bc68b9
SHA256 043263a827d1399a6a67c283c2dae406a399f7e976a95c897b20a5d70cefcd06
SHA512 3872d09b4082cb284875ae318dd2d7fc87d074ea21dceef5fdb7165f47bf4fb67223ff20fcb344a483d624d2198ef189f8916bb42ed64a2643c877a22d7727a6

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4232 wrote to memory of 516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4232 wrote to memory of 516 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 516 -ip 516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 516 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\manifest.json C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\ = "CrossriderApp0035382" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\hosts\hosts-codedownloader.exe C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-helper.exe C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil.exe C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil64.exe C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil64.dll C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-bg.exe C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\Installer.log C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil.dll C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts.ico C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-bho.dll C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\background.html C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\RunDll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\hosts\hosts-helper.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\hosts\hosts-bg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\RunDll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\hosts\hosts-codedownloader.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppName = "hosts-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634} C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\hosts-bg.exe = "8000" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppName = "hosts-bg.exe" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65} C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppName = "hosts-helper.exe" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppName = "hosts-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4} C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\Policy = "1" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e} C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppName = "hosts-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f} C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID\ = "{11111111-1111-1111-1111-110311531182}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID\ = "CrossriderApp0035382.Sandbox.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID\ = "CrossriderApp0035382" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID\ = "{22222222-2222-2222-2222-220322532282}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer\ = "CrossriderApp0035382" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID\ = "{22222222-2222-2222-2222-220322532282}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ = "hosts" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID\ = "CrossriderApp0035382.BHO.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\hosts" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3056 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3056 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3056 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3056 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3056 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 3056 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe
PID 3056 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe
PID 3056 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe
PID 4112 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe
PID 4112 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe
PID 4112 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2816 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2816 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 4928 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 4928 wrote to memory of 2444 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe
PID 2504 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-codedownloader.exe
PID 2504 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-codedownloader.exe
PID 2504 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-codedownloader.exe
PID 2504 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-helper.exe
PID 2504 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-helper.exe
PID 2504 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-helper.exe
PID 2504 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2504 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2504 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2504 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-bg.exe
PID 2504 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-bg.exe
PID 2504 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe C:\Program Files (x86)\hosts\hosts-bg.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110311531182} = "1" C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe"

C:\Windows\SysWOW64\RunDll32.exe

RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 3056,8D637B667EDB4632AB83DF05009335BB,BF924038E5624C18B9D68AC7C641D364,6D16371606334E9DADD9983D0592C9D9

C:\Windows\SysWOW64\RunDll32.exe

RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 3056,4C33C0BBD41C4A5FA74FEDF0AA8ADAA0,0FA6695B07BA41BE9FA317183A1185F9,6D16371606334E9DADD9983D0592C9D9

C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe

C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe

C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe

"C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\CookieDbIndex.bat

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "INSERT INTO Databases (origin, name, description, estimated_size) VALUES('chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0','crossrider_cookies_35382','Crossrider Cookies Store',50 * 1024 * 1024);"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\CookieDbIndex.bat

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallerParams','{\"value\" : { \"source_id\" : \"0\", \"sub_id\" : \"0\", \"uzid\" : \"0\" } }','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallationTime','{\"value\" : 1730064782}','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO cookies (name,value,expires) values('InstallationThankYouPage','{\"value\" : false}','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO internaldb (name,value,expires) values('InstallerIdentifiers','{\"value\" : { \"installer_bic\" : \"23D8F80C2F0E46D9A8B29801CD56C170IE\", \"installer_verifier\" : \"ef56edb22bd226b3df8ac9917ff5820a\" } }','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\1" "REPLACE INTO internaldb (name,value,expires) values('chrome_enabled','{\"value\" : true}','2111-09-11 21:16:31');"

C:\Program Files (x86)\hosts\hosts-codedownloader.exe

"C:\Program Files (x86)\hosts\hosts-codedownloader.exe" /installapp /agentregpath='hosts' /appid=35382 /srcid='0' /subid='0' /zdata='0' /bic=23D8F80C2F0E46D9A8B29801CD56C170IE /verifier=ef56edb22bd226b3df8ac9917ff5820a /installerversion=1_27_153 /installerfullversion=1.27.153.7 /installationtime=1730064782 /statsdomain=http://stats.weservstats.com /errorsdomain=http://errors.weservstats.com /codedownloaddomain=http://app-static.crossrider.com /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064782.log'

C:\Program Files (x86)\hosts\hosts-helper.exe

"C:\Program Files (x86)\hosts\hosts-helper.exe" /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064782.log'

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\hosts\hosts-bho.dll"

C:\Program Files (x86)\hosts\hosts-bg.exe

"C:\Program Files (x86)\hosts\hosts-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064782.log'

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 api.opencandy.com udp
US 8.8.8.8:53 downlite.net udp
US 172.98.192.37:80 downlite.net tcp
US 8.8.8.8:53 v2.irismediainc.com udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 37.192.98.172.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 172.98.192.37:80 downlite.net tcp
US 8.8.8.8:53 v2.irismediainc.com udp
US 8.8.8.8:53 stats.weservstats.com udp
US 8.8.8.8:53 app-static.crossrider.com udp
US 8.8.8.8:53 errors.weservstats.com udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\OCSetupHlp.dll

MD5 9e4e850e12f2f4f869b2491dbbb17ceb
SHA1 bd89581a89604b601c817ea680c2a224b46737f8
SHA256 4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6
SHA512 9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5

memory/392-13-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/3872-15-0x00000000010E0000-0x00000000010E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\InstallerStuff.dll

MD5 bcbacda49fb2c44fee595cbc82036242
SHA1 a33356996c7b3e032693bb373bbde2acf72cc469
SHA256 77ecf5896f33bbc002f00dd4742c00a20981bbc618563e49f34ea8f740da890d
SHA512 18c44cedb9b0fbd301ad9cbe5ebafe66d16380090baa41697f3224a5086313c61420730e8a5050fa7de31e2f47dbd21259d6758cf84557e0c34b901a93c4ddc0

C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\nsJSON.dll

MD5 292aa9f95a7f081625056c497078159a
SHA1 72076f3eb146ab7ea2b3dd0ef6a63c06f86d64f1
SHA256 18f2b2f20c65a022a1c8aaf776b4c9be6c193b73c2079d9d65d56b802fcadfb5
SHA512 87f83c3bbcfedd98364b5d0209f912e66c72d43eb887438ad9735c078e6d1f6ea12566a75f0b652602bbd9f0608ce7148dc1703821f2ab6b366f061b8a58d910

memory/3056-27-0x00000000730D0000-0x00000000730DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

C:\Users\Admin\AppData\Local\Temp\nsn8108.tmp\setup_cr.exe

MD5 ca023e6709a718a4917df6f3f2c8bbf7
SHA1 f9b989d482562796c8c95d124e52bd9e4643d32e
SHA256 6df47c38d9452173201fb301c3a7225221d4cafeaf07a3edc1dae9ea6135b86d
SHA512 23e813a6ac93394102b9448a3b5b3e41cf7eeb7eb683edaaf56335bd4ff3ac45884c6e0e10c7c0a9d8cd7f472e58b45e57d32fdcac819659c22e3dd547ae4d03

C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\InstallerUtils.dll

MD5 156e15e3dfcc2f2ff2dbcc373fc11f53
SHA1 5ff52623dedd7efefac54dbd31b5d1bdf0f3e799
SHA256 4618571c27877641f83bfb312aa5b66ebe4a8954dc898ce4e640aeaea4dc0693
SHA512 d4930f0b49dae5386a92124b954d1b82921e07da2a9ffd9d854f6ab6f03473e591d3b67f0aa8ea19f83b480be705d829797e62825fda50ffb074bd4734b265b4

C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

C:\Users\Admin\AppData\Local\Temp\nse9CEE.tmp\Hnaadvbqr.exe

MD5 e92df8cf0d3988c26395a390df381024
SHA1 2ad26f6562595e6e16cf2bb468213099a7583aa1
SHA256 c4927a7adb6f99589eced1b4a6e4056f52245ae3015b927d70622121270be5e1
SHA512 add4d7c17bebed385024360d59f72e86d6af8bfa275f8e76aedc57a318828b2482ea3b1d272a98bca337b4bcf79aa6621cf1e00efea406f92e04c1d7a56f098f

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\nsislog.dll

MD5 e47100b70748fc790ffe6299cdf7ef2d
SHA1 ad2a9cd5f7c39121926b7c131816e7ba85aeead2
SHA256 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144
SHA512 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

memory/2504-76-0x00000000024D0000-0x00000000024E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

memory/3872-311-0x00000000010E0000-0x00000000010E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

memory/2504-309-0x00000000024D0000-0x00000000024D9000-memory.dmp

memory/392-308-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064782.log

MD5 e952310230b08f478f84ada4c7d0b44b
SHA1 32baf1a88319657a1f1d343e490a08c34e335d6e
SHA256 71c64c90fc4d3bc11d2cea217832f60ba82c3ae56f7bf15bfb06f10412486450
SHA512 28fb2b1a6eb476d1affffda004454eaf79a0dfbc484be38afb353c6f85ee227fe64bddf306c811881b676d0368abe9fb83a5329f552f848e94c9fe1cdf62aa8b

memory/2504-346-0x00000000024F0000-0x0000000002500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp

MD5 db6715bdf5b2b5e760fff6f6879f20db
SHA1 aad3fbb9da6c7515c4bbb8602362bc03f6b0a4c9
SHA256 65952c10bd4d364832de4e56c2e161501758e88fea26df146e3a28d42b30f44f
SHA512 e3842ebea66e4f696db71b57ff6b4714d68acdaa8b38e5a83b3f4e086c45a08a5a47f917a6688ddaa21de97e7b91e157edeefaf4366833ceb286f390e093be64

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\ZipDLL.dll

MD5 2dc35ddcabcb2b24919b9afae4ec3091
SHA1 9eeed33c3abc656353a7ebd1c66af38cccadd939
SHA256 6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA512 0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

memory/2504-478-0x00000000040C0000-0x00000000040ED000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\icons\icon16.png

MD5 5fabc6d76523647c4b48b51fbd517408
SHA1 4d009569658443968cbca3516949c9632cbd25ae
SHA256 e17f7fa24d6ecd81bc2abb172a0c1eeceff830867ea45728eb93918eeb4c607a
SHA512 a6720e4ff1a68074e76d3d744bd45584f76c4b209a6b3badc82361dbb30b19ff1c5aeb30276b9ff991f3069e37716134400ae2fd85b209590db5a2e0ef3f2bde

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\CRNSISPlugins.dll

MD5 e95a1945663079496ac8f6374bf08d44
SHA1 b4b35eae891b2e06b1f559b12587b6ca54c3e82c
SHA256 d22c4dba24a3fe2fee0e5e22bb1744b8b11e8e3dd4190267a9086c9efb514537
SHA512 e4140888236bc2759e09941c51f8f97be2a73ab996c60e4dc6e25a61d8e59f613f90fc9bb8c073ed0d463c0f91951fd04f20d272ec5383fd0ad2d5450abbc972

memory/2504-575-0x00000000040C0000-0x00000000040D0000-memory.dmp

memory/1872-603-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\ExecDos.dll

MD5 ebcf9f71d804abab3c2e5ce4c17dc22e
SHA1 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765
SHA256 d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993
SHA512 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1

memory/3836-628-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064782.log

MD5 54b5c63c755875ae1d62d18551aa3772
SHA1 99dabb29ef9fcf30261492bbe903a363adbf0b1c
SHA256 c0ae17b36ca2b23c8b7639c43baea6d8aa23a9e2695d8392c2b7b411ac198796
SHA512 7e3c75da40eeb3cc1ea9f83978c48c9a4e523e2414bde28047d11b2eda6c459bfc285f1720c3353fbca87e4b1f5a81fa0fb78b45c71ca98f5e2c671d628a6ce5

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp

MD5 8ee8dfabbedf837a740ed2d1f19d6768
SHA1 f9462110b9623b63116387a3be9cf146845538c5
SHA256 01fcc24c1d9d68fcb99b7bccc254e660d4f01c6d0f5bf37af3ac0626912ae9d1
SHA512 8b6b802ecd54be30bb1ba9907912d81de174c4fc8470533e9cf5380cdfcda1c62a4893ab75108a598508791e540b92d592a36757ca6e3f9e66d479162b929c74

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h4lqlqyj.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\extensionCode\pageCode.js

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h4lqlqyj.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\button5.png

MD5 8b1eb9cb80417ec0022d278a44ab1dc7
SHA1 c49eb73f79e70b8ed96d91ef62f0bc344e41219a
SHA256 e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6
SHA512 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h4lqlqyj.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon48.png

MD5 12e783f1b55f54b719444e958d0f654e
SHA1 b147828f4af4fb86da89b0219ea7ff2da1d84a1c
SHA256 8b1bc99525aaa27b37216beda75ae7b457e0d8792b91506a736e7415f67788f1
SHA512 c44bb389bda5dba024c57cd4601c3dd5fe35a992c973eabd63aba4e8fb1e221e31ae06ad6e459b6c808f469fa14163722a11acc0624f43d797e5377e5e4486f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h4lqlqyj.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon128.png

MD5 68447a995095517de966faaaa441320d
SHA1 4229b0c045b7bfd1546cdc1f4e38c68135326fba
SHA256 f4223da0667e669eedaf4878678dae1637dec401ff7bde29dd56b8d1fc4e8d3c
SHA512 f52164a45b182c10bd36dd9fe34e5c047e8d55b6e86eaf4726efa40ef159ef6f586066b1660f45b2c6bd987f8ca90d0039e857e066db209837d9aaa1e8defe65

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\install.rdf

MD5 d9714eb9c7ca8d6f12da011cb85a91b9
SHA1 083b561967c9354264d1eea9fb5c7e0bbe41e81b
SHA256 167c43e0790c97ce7d1c76969c37a8e314016b22ec5d10effabb7bc17d5c6499
SHA512 70cd919b42e7b7462261f1a46277786f92152ee3d9d07b021b7c44980e72051c2fce60a5488a192be87941a22f6563b9f5e475ec3510e097ebcea28ce1aebd44

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\locale\en-US\translations.dtd

MD5 aae23d78c89bb64103e8d668bff80223
SHA1 c0903224a450ec3b506ede665b2fd8624f94aaf6
SHA256 10762cb296f01536427e6592d4c79b08ac48b1c45d12e7b36aabcdd3c1bd299f
SHA512 79101b2fcaf52733b9f29607f15c4679c6ebb9edbe9caa44b3e138333737b5b1302aad9e78a788601b9d8c8e7355fc85e02b2d5f8b00c32cafe0d54a5c7b6d1e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\defaults\preferences\prefs.js

MD5 260967b62a302147d44c771cdc3d2c9b
SHA1 fb83a8ccd8facac7c9edba98f6ce04274de8e903
SHA256 86cc451482895a5969813477f72812ae03fe462c7a11fb6f106d67905565f5ae
SHA512 18ca7c6d42fd4fa8f63f66df11b1f6c543c23420e11aa754d272a96e58a6665f7ebfe02d208cc3f92726998d4cecfa23ebf39a0e6ddd897b4196fd6a6172a84b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome.manifest

MD5 ba60b7b3decd2b1e30e55e4301e20de4
SHA1 61ee703b552a8826fe1086ecc5abee4d45bd92c8
SHA256 05c4744db6cacb64b25a23eff0c748ac24e6fb74e2791341cb26e154861e598b
SHA512 8893279ca4f4dc3ac4f4c91da402a759663b2aa3a5e2ac779be03fb3a242054d80c951c4d103faaa02abf103bf58d173fc50c417b0505cc918190fd718280fbf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.xul

MD5 275186e0a6d4ddabbf8bc8d1b00add5e
SHA1 e4b57588e9be7de99e4b057801977f3614bcbf9f
SHA256 9a36a603d325f00e102539ec8a5409b1b65318145fdadf70bdb8a429af471fd2
SHA512 d06d14889c105e5440232ddebc2bddea8061f6e040fd35a46c4a1858d6fd60d4397729160f7de0400c3cb556419fe6b3272b5ec20368a6cb0f68fe1589ea2e39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\dialog.js

MD5 deab4dc957c13108352c4f014b242353
SHA1 bc63ae0c5744a1ad67821937873d1829ed64bb06
SHA256 caf871b1b90ce840acddd2cf04237dff5d3a992dce765a3996f630c669bd728c
SHA512 d1c59e171fc40e531e2a70542688d0c6d300e2cb9b68bef7b88d5ad35c985e6b1773c437a746215dc63eae185307441f804ea265ac98ea842cb0caf58056e784

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\background.html

MD5 fb162e226ced64d0b4d6e53ed9f82eb9
SHA1 2b1d6ab496785d96ddcfc712a942a0d1de8ef018
SHA256 3f20ea55cdb879a1babf8ac3372e2cba7bd21586017e7e22dd49050cb1d03140
SHA512 864650849cdab6609f2219960e04ba33a1878bda8b76c326d08fb5ad5410b2a54e9c84c5c1a22efaba832e16e549fc2a7f59421b65db9f9566fc7c118f44daf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\search_dialog.xul

MD5 68e04f0a85d4cb05c54f268e5e59fdc9
SHA1 2a465323fb0d697226d481be9c599f94d62fd150
SHA256 d61aae08a32e9987caf41d35bad06f2a2cee4bc094bafca7afec0648a2edd1d6
SHA512 2853de596d4a669fc6e13646524646277a74743c81077f1ae6ed40d1972ee621a1e7522b1a017b55c1cc578831503b864020d26d1d992c1aba33afa4d34d5c9a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\main.js

MD5 a5be5ea81e0b1653d3fa31600a0a36e0
SHA1 dacb7a24b99dfb9dd4541b00e4241db7df7a219d
SHA256 ae4b7f033e53b8887c054e25fa6d3e7d754e2c97011632940685c84011e478f4
SHA512 39c69767688b0e483844b3b03a849a5075e2ae520559c15570b4509db1d125c2db43e7465193d57b9b7773c543c1e7c3dcf9247a402da7c8f0d87790226799c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\baseObject.js

MD5 aaba4db5965550fa33599a2888151785
SHA1 fb472dd90e55164f05774d9778e97a644ed2628d
SHA256 b0e6494d211fdfc5b0eb3f6668ccbdfd8f99d065440e4c60776e32e1b574ff44
SHA512 19d805ec4989b4e9eff4c855c4ae871dc81346f801392e06229d0e359f96e16e05108e0ff4c6207f9fb72c40a9e6aa9aef4069c7c730bd02c316b8f4d597914f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api.js

MD5 311200eb1ab011b88c0e9545a4d2d049
SHA1 d22bf13518c77d46e45d556adf6244a251ccd3a1
SHA256 6e8e5a4e707c5a0b8146387b44c66cdbd33a6e48c985e3800f9dced605f69545
SHA512 bca612da6341a485b4fdfd02197f02347b30e2b7cd0a23ebabdae6140de827af205afe59c62ab50749880593358e59a238d627523ba1fc81fe08cbee54553939

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.js

MD5 80297932a5645e651b2bc05c65cb8cf6
SHA1 dfb36a890b134fc09bb003c583f93c978e717f7c
SHA256 12bdfbb75c0b57ed66756b12d52a8538ca83eae7f5c5c3574af3f24a0d38a78d
SHA512 f5e97c10ce845990601e0d1889bc6173888a971297792cf85d10f6fd77428c445f81fff56af0576bd365abb22583d43dbaad3cf958e01596bd904b72f893a275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\browser.xul

MD5 a82c0de0f37da22a6e07ff2077e8f318
SHA1 ae361ae3f52c2f7240c6275a6c40166796107c30
SHA256 d0ef8d510db101253558497c1ebb21410da1f44653d59362cca22e55b5025172
SHA512 c3e8917e8f3eccbd9e2580edf7c009010aa76446d92f8cbf073b4072e483187b413580ae91d51abaeb7f8eb6eb8c01bf914c4119a1ba1878222ec03bce542bff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\searchSettings.js

MD5 b1d1b15628eeab4bd8ef82bea8b9110f
SHA1 845cbc7fc818ed1879cd3f53535fb1a0c951e2fd
SHA256 594d3976d286423db7a94be62ad9bbc5ca9d5144fb94c7f061f4a2e14e5b82f5
SHA512 6900766534d55f79c75fc53a7acd156ae4d53a336ef79ad8d8fb2b2be45c92233458fdfe971f0502b27e83848b35892ef58851b3b39e90aee1ae52fbf337f159

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\xhr.js

MD5 b4a678cc9885730cd03de0d100bdcc25
SHA1 b0771a929a9624c256b45124e6f0c999707380e8
SHA256 9cf418b2562821adfc68368a469d843e7dee0f0d087a45866c0d8279c52fcb29
SHA512 9caa0eaf2eb874d683c41f37265232630168983969e2a64dc666add6a4c3c5e82aa316489f7a3b383da5fc52efa4ea705eeeca39528c1c1c7b9dc01058e3189d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reloadObserver.js

MD5 0587e06fa0fb578c220245ddb95f7411
SHA1 52df8780d25418d6fb90725c9816080e01bc5024
SHA256 9ed7606361daf6580e6ad953e7c60e33ab4dfb0e07087c577aa4c9475276ed4f
SHA512 0a1ffc4cc91ba10c0998f7f574ae1f5a9f2010b4ab62610d780ff0ad72078f9d610a1bf906e5e8270d6ef68b9cc3d439a333757ab7e9fc32609cf2bec4271b78

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\pluginsManager.js

MD5 a92e9ce9e1e0ad01baa684c419ebbb8f
SHA1 850271a386aff13b2d2f16d3e70778cc8a655519
SHA256 a00e24fe9cfbbba7fb75c930449d86250c96644755fa3c78324fd7aa3eb04f9a
SHA512 469819873a662072279265323d2c5585137958387599bbd10c11a12c0e924b71232f23714b3e8f1690d6cfd1d27fd772d11a4cd3ef8afd94db9a7eecc228cb17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\registry.js

MD5 769dbc56827458c72b7ad8098c91e7f7
SHA1 e8dbd8c650c6e35e064bee32e93200f713ea94d8
SHA256 2ff6758a857e848cc6d30ddc02d18000cc062048b1df0b9ab59e9b9cd08107c5
SHA512 36fb166d5f74cd17a79338192e67fbc1ae18cb68a9c0422513f1560d6c1b3d357e6a940a1cf5128fe4cf64dd199aa5c4bb7689d70e6887dd7fef01cc7f3d58aa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\prefs.js

MD5 e7ae2f5a14532b1b645d14bc04e4a12f
SHA1 592ba96aa9d7e448fe67e92228442f9312c1ae32
SHA256 6b97194d415ded6da5abcec8566073bc3714d2915ab48b2f96e4b5ca72043b67
SHA512 08cdc93db5de34e288449096f7c960a4a788ca73b436e2769a108fd2a479e59f26d79605d19422e73d67ed623a63952ce8103c166e68bac2ac78bae03192db10

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\updateManager.js

MD5 9fc11c16a573da4dba7764fc111a50cc
SHA1 4035d7a0a8383e1b93d64fc161e3274d5f428ae3
SHA256 5250fe36cd0617f8497a8f2da1003fbfebe97b01f26f030728a26d33a438fbd7
SHA512 060cc213c87cb7f86809f8d533d677171f798e5a32519f0467e4ee2605319210e87b666c784d49e490326595d482fc37ca840ced537e0b4161ebef4abd99301f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\console.js

MD5 9844f60e1179aea762ef53ec0d542fa3
SHA1 25cb21241d80f8ed03dbdb1b3c1d6d487415acf0
SHA256 dc619581ed2a7ef130c5bc780ce0c18bff78ca27ce98a0689bf3178b2b2967a5
SHA512 d40b6f2b59bb32dde9309bc9533052559b17786afa899de5682f2f3322492fbc583323e84cc98cbdcf2f46d1b6767e71fdddd68dd9eb695c4d304de33836fed9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\delegate.js

MD5 eec92acbcfa9d28b43b64aecc9e6c1ee
SHA1 d4253a3cd8810d575e1100c58f088d70e063889f
SHA256 1f3b9ab2bad072151166127c9bb92405e031ad8afdfe2f9dd5ebde86ccc0236f
SHA512 62f3856a5c2c5e408e68f2f4266a86c9f49411e92190d9e865144ebcae0907a401f2ee808bc7a8cb135504997a6afc71b7f7e85ff18c68175dde88b0e1b67b93

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\consts.js

MD5 ef2e8bca169a0e83e6e1a1daaee07c4e
SHA1 a78279e9bd75e866a18f36cafdc4e4385d88610d
SHA256 2f39c546d790606df3c1885603984d2bfc94965222b48f6eed74447552114673
SHA512 7e86e8447570714ad1975617c159208d217132857775e465d12f9bd7902b7e65757c621841e7822db142ff045ec6a8ddd07767b92a845e3d3627e0acdf94b672

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reports.js

MD5 60fd9774d8bb9d6eac945da719e68428
SHA1 6f04d94ad0c566f23f432d3457e8116c0f97c119
SHA256 0c4cc49edbd5ba2c99efb98fcba81d1390f87d1c6a7a749f0bec4bbf2adf0e2a
SHA512 20b7fc3a33eaa5042370965c2540fc5041ee3d188c912608e7d6c8d0632993c51dfd2b4a53e2b4ce1f02ba7b2874e228e968780aecf4db6b6f7c71eccc5935c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\progressListenerObserver.js

MD5 3e9a68cfaeb26b1bf7b39037a5670d38
SHA1 b6633a830be19b218af576417d0fec7ab5dff435
SHA256 96474c2cef1c5bc83df3d8bfc19d4853968925ea981b0a5c09b160fc15b59f18
SHA512 d5b85a1df2e678e70d50ab5e7cf1e84707288b8ad80327c9eb9f65b2c803378268adf3f44a43078080092acfa26611b0dced54c754ef0bcded03fdc3fd902e17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\installer.js

MD5 fd3f295f1c17b33d7a80103564a7f221
SHA1 0d67ce68dd98f31c3c8c2152a23aab11b6a3fe28
SHA256 cb89a5f1f1d1bf601c8e257562287e5011cb982dab2a673658eb9c6f9065a9bb
SHA512 d499507d6b98a7247739d8083048317a133e625d57c650c1993395f753c9ed95c832dc792609b9d632cad007f142021c4ff0c1882b2ccbbcee4b70ad985bad1f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\httpObserver.js

MD5 d84f78673765cd850eb1600fa60bfeb1
SHA1 bbf3b8f1a8c03b4733b326b9a36d02bb55902620
SHA256 dcb0ee2e8733c03f33347148eee0c60d910c0bf511c75c959b0e46eb9afcb915
SHA512 8714f8df6b813bc4d6ed78a1cb6697f2aea3525c3c48961b7e4feee2b43a601e137899fe88804b451c3d104a9d9d405a1daf82b7a510cf8bf7f1f38c22e94af6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\utils.js

MD5 7f67b1f11066759f19de77335aa9e162
SHA1 5c689fbf820dded68beb78a0695569ea6b7a9e5d
SHA256 89e7e4c46c456bf2464a0997d864baa564da84eaf59306b153c38e08d643a00d
SHA512 7460af03a7360682481a8673a13cd675d88a52a5d565d8a84e379015b3355ef5e7e94e75c53047a7f3993478014aef457e85b6cba606b6af41ed3f7a434e676d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\uninstallObserver.js

MD5 1f7e4557cc0450b1b59f088534a972a9
SHA1 09ddb030e2634dc6cb6dc8bb99b035e35fb20dbd
SHA256 430d1975bfbdc7f878e442a0c8f9cf9d0a3a1c3a5752b5b13e226e11b2ba6aec
SHA512 078ec9639458bec7b7de1c399693b9004d9e6eb354dc130c65aa8cd2c3e78325f44388024c931e8135c90e92a3f82641ef8d2bd3f45c1beff75147377bcabafb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\requestObject.js

MD5 58bb6d11d1eaf46767cc60de67cd9454
SHA1 d7c575929c2d14b8cc155879069fab443c44eb3a
SHA256 4b5d3e7c0a686c55dfdf2348533a6aa8ac2a768bad01673bbee717a92dce44b1
SHA512 41d1262f1b515f6990ba0ac41d446230d49873ecd90df6d14d6ecbf767a5aa923d2ee9405ef9cf0c96a9c323a1da125d84fb7c26bb1a19a02a8b05a01e725be3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\IDBWrapper.js

MD5 44bd338a01fc265a1f48feb6109cffd3
SHA1 21a16911d1a82b1ad847b7a9c94f95127eefca60
SHA256 4c2e7321e1db1e55ac0d22934c916467d45767c85a65843b942891f983102da6
SHA512 9039535ed0910662afb0148598e3326bc50641887e4dd8907734cf0d1093655ee3c481c0d2f7a5581e5846cac804e1c10c33b896f78895c858076b2c605569c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\request.js

MD5 7188f8b638a00a897acf7d6db9381c8b
SHA1 8394559d7791715741cf8f1dadebe7b7ad15132b
SHA256 306b1301a4f737d7a7995168a969bc730f26857a39949fcd4899d1dd0a6a3f9d
SHA512 dd950176cbe599602b660b767c1a85fac866b00d5b025886efc01d3e488e7b4e5392da3ac4b73956d753c102ac297373e0834022ffa06f0bfad07c78c6c833cf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxNotifications.js

MD5 2cbb07727f1ad5480752694ba113854a
SHA1 19c82a1dfcd0e7a8bc442ce22ef268d699b9e674
SHA256 db1a27b86d4a1848cc0e8c5f1887ece15ebab250bcb025d1e0aa2d3c029d9b40
SHA512 9ad1b14c3febc6c74474680c7b6c02d8294f7f996940d4ca0d448cabcf2fe7f15249aae5fc67184c49d4a82bc236690f85403746932ca6df4e93197f209f1291

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\message.js

MD5 8a07017e0756e912aa9fe2fa7f722456
SHA1 ecd41edeea92e2e00f2b518afb1410bce30792bb
SHA256 1501c3e6e1b668a191ace44009710e603d9f036e3d4dc405654162f65674a953
SHA512 4e3ec3e61114b67a3c42c968c1a88afbb0b5d1119f98140991147e644463e7226cb2d7db17bdd6980ca206f6ee559e2fe775a009ec93f29fdcd1b9955b713123

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxOmnibox.js

MD5 aee13ba60482e203c4bfc871339b624d
SHA1 a8c42a0844cdc5f5cd7ec7ac033c7fcd24ca96ba
SHA256 cb043a814632118b25b305ca6cb0abffa1e10a502df054f2a17554bedc299913
SHA512 06b3938eaf16459456704e8edc12171786954f707fe166820ca4fffa35c9e8724c82dcbdb88a5f0b24d842df40c041d6acec7ca10f4e85fe5d83b59132dae544

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dbManager.js

MD5 780b66c8196bd869af8eac63d695d9c9
SHA1 c02d465ce06fdc40e8adba0e463fa3b609fdf56a
SHA256 aa61b53209da3e4ac51c69326d7d31168cd14e34808d8c71784e804aa970e486
SHA512 54b8e3adff18652cdcd84a5759125d061e50a0f074ceac89a31085bb31096308244824e24980330b5c9d0f68c52a95eb85b3bb2ac36e3e5645bf2e3fcce71b70

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\background.js

MD5 bad0c2449513ec4ed9ca13eb55591aa8
SHA1 e260a391e5dc7913ab3b81fe8da607ee43fe45df
SHA256 e5be4a0d2f826fc13592de1befcab2b639ba169b3c74069f604dd16739d20779
SHA512 a545d32c4ea9313a30bca7c773f8c9bca640d98cf73fe1487c248ccf79d0cd916b122a0d71e5699343692cbcd3c326f10a0708a7263e794d720023d2c4e5c0eb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\webRequest.js

MD5 e8a80e409e40199e3309e5d37dfcfeaf
SHA1 b74ce420ab51a7af5901cc2f17b3ba19ff2b847d
SHA256 8e82ea7cc89b91e80b5bd904ae3efbc34daac4374f1c6089fa25ea9ec2ece2a9
SHA512 4e7ea24f342197675e1d1cebc61c16aa3173bda6e96d616d97f8978b180d601294c1c82f845209b1f5b3ce07dc71c1e75c042fa476415960cbc8b7017e6bb316

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefox.js

MD5 a1cd4406d7577807a698aa3995046192
SHA1 7dc6d8b6718d8e3042f9b959939eb6d1caaa4b57
SHA256 5609ed9fa249166c8dafe7eda048c86486574445244d2dc509fb617b87b5d7f7
SHA512 9421c2310562ad6f9026d7f710ebcfc4957022219e972db3424b5f926a7a5d5e85b8cc5d0ba47c0214d2514f90f31b32ed77f887b8279fd5e90b74ffc341768c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\contextMenu.js

MD5 ce25d7dd7d7e34dc5b92d25861cc2947
SHA1 6f459ce6d14b57ff1f9b5f9271a29a7dab59f880
SHA256 d8a5816494dbfc96b41c00913f4d61c30ebafd454b5d7107d3a876a2dd1dffe5
SHA512 cb0f3b6c24da47fb8458726db4341973e3f6ea5f738988b4c084493605662a0de330304f3369db0454a48ba28e9381de5be2a23e3f70508b19dff61fa9f81d7a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\asyncDB.js

MD5 e377ef2d419e60d15b422da1295201fe
SHA1 92a1fea50dbb2853c5ebd95a039a5fe9ffae8c02
SHA256 3277002ef6bf5cce6c956dc6e0638c6091351b723023bb63416e60a034c1fe17
SHA512 cdca13250f0658cb17d217d8b898ed41ef256b8829c1e572ea2b966e6d5c23ef122274c192147e3387b4503a4230543eed4dc34a30fd14dbdb6d93b745b88626

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\fileManager.js

MD5 81b4df8409320d739e70e9d4cc4c62f7
SHA1 7f5e03ed6d5d66fb9a0d052761731d302df21eca
SHA256 7817b095e2386aa2aeafd5a7c3b0b974efaab2c71f0b3833ad344ff6c80d1e08
SHA512 c0839504db12cc2dafcc127cb0d25e29f1393c3d7b7ef6a74d0e5ea9656b9894cb7e7cd8c244eca2fa00b1df414bfd0638c22d37cb1049ed51e905a966417720

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\browserAction.js

MD5 60c4db63eb127e64d24f7e9f37e43efb
SHA1 dc799abfd6c2538d0b37e85936e9b80bac02badd
SHA256 c11736a73ed063efe51c0fe49d236bdf7d3972ede001763749ed060b1b028581
SHA512 0dc9a6349d4bdbb533b4018ad768ba26051477f50a7f47d3ddf0b921bb05176d4133a2ddac2f1013df468f130aeb27b950fba9e6a8367ce206d8e8c8f67bc0e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dom_bg.js

MD5 de002d9604f09b376b85159f289b75a3
SHA1 5c6c4ad17b914118f387863ee5982aa52ac34c09
SHA256 0e095eb0e16c343ac812721b182bea66498fca55ecd899ab5eabf9e0afb792ce
SHA512 a29071d597111b9e7335e5dacbaa19715950fe03072eebdbc15bcdd2021958d30522e4af00fa711059d0337f4af4c4913664ecf266177607228138c4cc2157dd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\tabs.js

MD5 7d8a2c2c54f33325eb30368eba7564df
SHA1 72e5449067e0c85242cb28c8069cabd547908d50
SHA256 34989f3c20224496c68d06621e67628d3ab4dd5d558175593710c395369121ed
SHA512 22ff2058cbd8d2eba7ab56f6990ff9184932cd4aea29431a971d5e947758a69438d041b1cf19b5fa1942e83b14c6df54e625d3c69a03149dab40ee407134fc91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\update.css

MD5 36ab40a4b899472d25a3c872a7f9ad4d
SHA1 c29870d67d954de9c5c32783ce28cf7f77d13ec1
SHA256 4f0795bbc78e195bd977cf489c05543ac86bd10f95fbb83a5db11b17c7d7f664
SHA512 9626a7a269acebdbcacd31f4d5e4f70e57873cbd8eb4e835b2d4b52c863fecf6a27f474124b508a0fed8614bc6e3165be38b0930c7a96326afbb23343cca514a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\popup.html

MD5 cbdf4e688981915b95a3741d0c9d5fe5
SHA1 e4f188d057f04638443eab966002e7feb63bf61a
SHA256 af11066b4ff2a7d851cf85d97b655557240303c89b1615ca0ad753926af3602c
SHA512 9f83da8364e3722ff64c6feda4bd7acea4bebacce479c01e7be7ac59298c0907a3a6041c8724f40e8fdbd1056cb80e1450676eff581b1227b22a4747083ec451

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\skin.css

MD5 4bd957ddde2bb2e537060afcf55f1f72
SHA1 d0d4cb8fd259bde8e297fb68326c6a4a1bd6ce4c
SHA256 f3fee308a875a4d7cca4cea16ce548dd652df2f10ea8dd2d1aa11c2ecdef4b0f
SHA512 cd103bb1b7f1ccb2a483d8c974150d5b32676616d325564615da1e09b024e821a0df4a1e815f8b7dc7a6fd0eb1e70156bb186bd452040070036f96958e869d92

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\panelarrow-up.png

MD5 752c26453dc2fc989ed46f5920328edb
SHA1 a064ccc009ee36c20dd5a8aeeab1a335bf82bda2
SHA256 758210b28ee3298facef83c81272ef4121f337392ef5bdd44e47222ec4966beb
SHA512 b0c3c58ca36e7dfa9988bd68a0432b01db020420e3406653ae8521cded576ebedb9169df93f1a9dc461831a52c0297854fdd23554aca551d246de01d17db80d1

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp

MD5 e2236f4df18b245c4428767eb7001bd8
SHA1 d091f299951ca8ade7bf03ae84ca3ca1ab2307b2
SHA256 3d98372fbac56338b06f24aeac4f52cbbcc4977d2f7d86adfb92cfc1a9d5607e
SHA512 8ba872180043d2596328cad3c9eb7681d184a6574ce6fa8c7baef346ad9098a0b8d13b20a6df212fa2590caa750cf71cec99e4dfd62984fc3396d56a29c9aa84

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp

MD5 c1d9bb540a5cf2b8e335311c247bff92
SHA1 ac2dc11f16ec71ffbeee862afd72a41787e6980d
SHA256 3a55b9b3d0226e810e33dea581f40cd634580bffc6edc591e67df7153851296a
SHA512 d623827fe626447745be95e16599a6b6d8ed8862ae30c80226f9434c5f3293f3422f0fb260f417519a50514f97334bf25a84ed51ab9e43f76faa12556e8d36af

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp

MD5 6aeaaedda1949deb7c40b09ddfd7ed09
SHA1 f3d35bd0edb197845b96cfda824c96cf77e79a7f
SHA256 31804e16546b6b9d914698c6c5cb4bea0c0a8ba27bcd085abd5a83119f23f0bc
SHA512 24b3ac81b4634c5e81fb6ab28e727d2b99220cc67c5ba84bfd486f4276a10dfc57335a6cd929f513134d04023beac4afe9c152c2f2d2226eab733a54ee558d17

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp

MD5 c0228d656c703062404bb811a2358892
SHA1 fa32581dfd2ffb9386c8bed36bbca46363d5c996
SHA256 d39b7e365de13379ca4dd4f2bcb0f83b4d85c383912cdcdc7fda23ae1b083ea2
SHA512 3f5b07348e5268e1504b394b9c5aeb6aaea6d3c774b3550d170c341fb05f41ce990e973b1f6955175f021335acf540bc813804cd35735fda332b967aae91118f

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp

MD5 96217006f4ed6618c41c27ddc4410a91
SHA1 391cf6d7bd90476855736cb1cc22d857c56e2e0b
SHA256 9983f6e68b7243a97b90ff21e64c30bf28831e7dbfbd1ee5afde4f806a74448f
SHA512 fecd7ceb050c98db247a238c519d28ba42fc62db98b25b30c80b97db153a9ff638bcdd4a1dec71addb8b78cd8250972639e935662c27edf0e8f84f6af2c10938

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp

MD5 062e75c38b5a59b16287e1ee8685cd44
SHA1 3da718a9ae0058642d6b8e3da6e86dd9a527ddc5
SHA256 b7ac77b1c6bba01fcca0790ccc77196ed7ab013c95613c40b302055d96693f6e
SHA512 52dcb232a7658c2ada16d5ead10d28f0c489b8c21284f84b1ed3833f2bd5c6d7be59ec37d7c479bf04d70c86fe369278c3b4ba5bdf7d577cecdf0e4c487f6154

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp

MD5 8b017e3910261cb0c9d914a6abac5382
SHA1 5e4400946760495478a72bd89bba9e88b37af589
SHA256 05e97c8a5777931dbd1a14b3e08c7aab07e4c285b87efa1dae8bce0c4092dbf0
SHA512 2014033ec17b776583f7c760b58d669763bdb89919657a7fc0240059dcda93f36ef5029379ce1a78dacc15f8a893294f2a06d7341fc4647b4e8736f53f5e096e

C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\temp_file_after.tmp

MD5 db6aedf26ae4c857fc7580611882669a
SHA1 fa53a2e301e3bf024159c99e40c8d72e86bc68b9
SHA256 043263a827d1399a6a67c283c2dae406a399f7e976a95c897b20a5d70cefcd06
SHA512 3872d09b4082cb284875ae318dd2d7fc87d074ea21dceef5fdb7165f47bf4fb67223ff20fcb344a483d624d2198ef189f8916bb42ed64a2643c877a22d7727a6

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\OCSetupHlp.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\ = "OCVBValidateLib" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1864 wrote to memory of 1916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1864 wrote to memory of 1916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1864 wrote to memory of 1916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1864 wrote to memory of 1916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1864 wrote to memory of 1916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1864 wrote to memory of 1916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1864 wrote to memory of 1916 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

156s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR\\OCSetupHlp.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$PLUGINSDIR" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A720F5A-8FE4-4A0F-9B3A-494BF58B0813}\1.0\ = "OCVBValidateLib" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 924 wrote to memory of 4796 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 924 wrote to memory of 4796 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 924 wrote to memory of 4796 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\OCSetupHlp.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 244

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallerUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 228

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win7-20241010-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DownLite.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DownLite.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b043ded9b728db01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000c1934af36f05b9a2fdb0947f12cfd683dbc87cda7b679b3e72c1efb37e9e53e3000000000e800000000200002000000009f975be850fa4acf3e6e260d1e20ba07a01df5c5ea4ee31c0c89d8457f64aa0200000000054ed9067efb7182658b7f78357417b841ccfb606039f94832d771c19d9d0d3400000007ee5f8d1da2da8b120f2fcae2d3480999713e0d225c903a55faa030c92a5711816d801ae0bbed52062196e1a72af2ee41e0f4176c7ef4389aac3d615abe36765 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000004e142f0aeda4adf9e3fda069747ae3f61933c18476355cf317950574408e7f2d000000000e8000000002000020000000f9a73a4840a4c3bbc436a902d69686fc9505215e2dd475b560eaecf5dabb12094001000087e7342a244a003e47b31feb6b2370faa04c685bcf4f3faeff0dc32deecf712a0bb7bfd1664b33eba07b1b76ac16135452db992c83aee274bf0fc20cc41ba610ed5d6944f059c92b24b27890a9c4ddb267d5cdb0454895a96643eb6bd638d0af9b25e698d7542ed9d26ef83bf3e22f3126b14ea134ae3f5da920ebe4ac68e36d9e3e03229cf560ac22e3281b3c60cfd371f036cda17bdf29b7655591d3218a57cf8534d854d0daad5485a992f3e9c8e89c5ead08c6a8ec09d9eabdfca83275861fb0af948c2bc6be04be5140c3380cb548469a859f70090bc493070c0e5d39549fdd9c467a1a51b9df1f6af345664986d38c472c56d01856810116893f4d0ffe46fabc19e9625a26cb70b3e3a6c1f1428401caf0c97b8d0ef817f3772a64c0853d9fd59b6ff743ffa78f353129bdd9458a62f3aec08c353ba50ffa1e49e7b6894000000003fe7c447126617dce311ed3848ea263f88acaa1dfd01c2306851b97cb73877f902a537af8c21db1e26976f07a02b0f74a6e14bc028dbc809ab39bf25975729b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{02E671B1-94AB-11EF-BA44-CA806D3F5BF8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436226639" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DownLite.exe

"C:\Users\Admin\AppData\Local\Temp\DownLite.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.java.com/getjava/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.java.com udp
GB 2.18.27.94:80 www.java.com tcp
GB 2.18.27.94:80 www.java.com tcp
GB 2.18.27.94:443 www.java.com tcp
US 8.8.8.8:53 static.ocecdn.oraclecloud.com udp
GB 104.103.246.175:443 static.ocecdn.oraclecloud.com tcp
GB 104.103.246.175:443 static.ocecdn.oraclecloud.com tcp
US 8.8.8.8:53 s.go-mpulse.net udp
GB 184.26.44.174:443 s.go-mpulse.net tcp
GB 184.26.44.174:443 s.go-mpulse.net tcp
GB 2.18.27.94:443 www.java.com tcp
GB 2.18.27.94:443 www.java.com tcp
GB 2.18.27.94:443 www.java.com tcp
US 8.8.8.8:53 c.oracleinfinity.io udp
US 8.8.8.8:53 www.oracle.com udp
GB 184.26.44.77:443 www.oracle.com tcp
GB 2.18.27.81:443 c.oracleinfinity.io tcp
GB 184.26.44.77:443 www.oracle.com tcp
GB 2.18.27.81:443 c.oracleinfinity.io tcp
US 8.8.8.8:53 dc.oracleinfinity.io udp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2208-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2208-28-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2208-26-0x0000000000400000-0x000000000062F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\PFKSITLH\www.java[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\favicon[1].ico

MD5 8e39f067cc4f41898ef342843171d58a
SHA1 ab19e81ce8ccb35b81bf2600d85c659e78e5c880
SHA256 872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd
SHA512 47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\melo7gx\imagestore.dat

MD5 657867b83e03d7240b365d20acb3603e
SHA1 21aa0fffd89e362b5e407c8f367a37a8de28338f
SHA256 fdc2c28c991b7a3c90b3bf54d647cc9aa197433075a185b908292ef09fde4982
SHA512 4efe3d2f65fd2a4f792890534149ae032e61ebebc8ede2a36bf74d218b0c8d82c50d598ebc326b6a9c44c52f2a3a6a90b4c7c081705d0f2dab2e5910072113c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 55c130003eaaeafa9141838a5330ac39
SHA1 fe8d6f6dfddb1493d74d7ccc2894882b7ae294b9
SHA256 65cf0589e0b3df3ce8177c22d59020892b795988fbcb91f2a428f23b6fbf952e
SHA512 f203da238ff25871bfa6f919918e863be4b71dae3713c5faf39f93a34572b53f8747148acfa554b8acdda65b057b61404b38d80c08ea035326b4c6513df75d99

C:\Users\Admin\AppData\Local\Temp\CabBABA.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarBABB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc1d2a177f6c53f80a4f0246b8d9c2b3
SHA1 60edd2cbaf52db39a46e98cd9be86f1e828331c1
SHA256 db564eb4c797fa4dfbcf52ba790dad31b574c5d24a7287cead7606e2a865fe46
SHA512 181e15e0ade4b532869b0dd4768dd5d0f65e887043ef0654bc5622d5d7e24dc75360f2ce9a3b7ba9fa296a4c66991bbe063a3ddf999104bc193a26d0071c1fca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6bbcd67cd9446f1e22dd478e19122359
SHA1 3100d2abeb05eed30b2fc057d6266e7c9791a7fc
SHA256 382ae5c37f1b5b193afcb751567304d3421ba5d8c3e0cce2e2cb7f326470d2e5
SHA512 965feebf2c2bb30812c31122545dd8ed13201c0e68323ebb4a80a56af61e34dd7b6936b84c6181a13e5335abcfcb5dfe2c29c2588fa46885467cb903ccc227ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85e297d4cb56817b5dac52e50404e53b
SHA1 93f24680670ad1c57ad63e20211267b0406b7a78
SHA256 0cff5b9659e5f95e8573c5918642537096bae312b200e848f4bef64b806b72c4
SHA512 8bdec105450a30959f043cd7545beae3cc0a53452464ffa4784fc419af87b984593d9e21257b939e92cd9935ec7d44a2f37ff4353cde0f382fca38b40505f6e8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 305f7d3429b074f520186e47f1450997
SHA1 c8a99500f4b86143e6b01e8a771492ff58c0a45a
SHA256 4b6da9e2f2d58acd0a422b9154d88651ff3638689bcd1f05d9fbeab6e76e616c
SHA512 b2e2e9d8b2552639b13979072491be9912324e81af5f39b3e7cf6f654ce126da3e17a532e0089b099d662edc22a643f2bd188e7c67cff5346f560c271aae6e3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05ac9907c13ff6c3ee89f9608fcdc5c6
SHA1 53cd1393e7355f137a1b17e50ed2df2bbf39ab4f
SHA256 5f5f4af5c76c21af6ad50eec62b3f6938a3f02bf08ffc3a8d2458d93499782eb
SHA512 aab49d73711ece6cc33d305623a2b332569b80821fe7593ffec5aa74c46a7e64a2edac9c9bfcfa553b4d33e128c2012f0057f660829839075005611fdd3fe191

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6912decd3e5db2fa77681d38e91a092
SHA1 48cddcc31a92433f5c9e52fafb4efc8cea7ba9a9
SHA256 c01525862f6693f76bcde074f39ea5629272677c3c0e36bd368695463213caab
SHA512 b7e8948b1353ec90bbfeafb5ae4a02be2f13434c20a540ca34768ba6ef44e1c13175ef7e6591622cf483da26924c8f6d468ad03760e2324c7ab7526aebfbe8cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2fbf749a109887278b2839cb270a31f
SHA1 f9fcda0fef3b57fe5177281db616e5a330c8fd29
SHA256 c5ed683e486256a32ea6bd0d03d42bad94c96fecce284fb92f89c0b34a00fd94
SHA512 d7c149c87789a549cfc74d9bf98cd37e7c03f5bf5f9f9708471f914c3b3392ec606eaeff99469fbf2535127488ffd831f4faa5709767b455ca9a52e8491a15de

memory/2208-557-0x0000000000400000-0x000000000062F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 345d41a3926b000f5378aeff55950213
SHA1 a36dc0aa75e29eb2e55415eea9206d314da6228a
SHA256 57880f2dcd1aa697334a874491fc9e9ea30a3ab2f644d91920dfbf49892cf6c9
SHA512 86f79d32ecd2f31613b77e61a1c40c67d07d6ab6d1f4e10915e7407ae5e161ea9b48a6e3d7468eff5ced7008fb721290e5435aaa0eba3c03aa06063fd676b574

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ca92c0f7a4b1a400b0d68d0e6cdfc16c
SHA1 4ef2021cb055ed18817ead0dd8f2a54f982bd18e
SHA256 ebf82ac00c01500f0aecd1903afb75628bc51481f061ddf82d708c692286da6b
SHA512 02f0655036edeaf0b17eb29dce16bfacc9e99c69811dc22e4d506de3c68615460c9361d63062cc921830ac523f9295a1551a228c02a97ff7837be5b93d62e35a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c3486ab3e66cd886742267990c140bad
SHA1 5b1785a4ed68d851a96fc7a1cea8d322b58470c4
SHA256 a659d54adcef19d936bff502f02b4a408924de8f04a18e18bbbc471c595de4d9
SHA512 ec779c5fe235d6948ae9d36d7d1e8a761598a606371896ea89ab4a6d460cf4f4c40ca7b6483e898e88052024e6eb9de6285538a6bb46472a2f6f1f9205f46d57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 867773ec4b250c8eed25bdec393e04d7
SHA1 9a935331b92dadcbc5cd64b3468469513b0d9b02
SHA256 0fe65600410789200ac4df313c5fecd5b0065140a61692f4202a0ecf99453395
SHA512 a5cda6f81642fb7ffcecbeada8299c3e68bda7308640518795df5b2407e1267e71a5ba12e2b156ab5def50184eb256f58fa6c72441b0dbc7ac14a753a5b76399

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c843f686f73ec061cefb1b4628fd36dc
SHA1 afa59a23f55db82a95917db9496aefcffa3fbee5
SHA256 9f2eaa54346c29f779a6cbb1b2036c6b589c94d703c3f0d7dcaf7c9f5fd5cc67
SHA512 1ce93cd1ad0a14602049ad8ca24c1273f71b055422fb07e4ba9c45294e8ac96f80dd1527c0b866324d6c3be18365cbebfc8c3e306f552c4417facc49fb600afb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c995030b81d813f6ee9fba6b1b18d9c7
SHA1 c43cfe8f01c78fe67924f76c67d9473275b2cf5c
SHA256 becf429dc47d259d957703c272570277bf626b01e0c9057a3407df6f641be748
SHA512 ec4d3fc42adcfc7cf14ad53298f0064b3390752b94b1a2cd59d0f485555cd179d86f074ad6845de89db3716f3ce60064f8f08201cb43c5183ccaeabe1d9bd0a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 805c1eb240a8bc122248816a34a6ad1c
SHA1 0d3b448bbcfb2755b50d1ee772648c3a3d58239c
SHA256 c42b3f95bda8ed3b2928f07566f2b49fa3e4912bf1a2386e69593820e18ef5e1
SHA512 d76588f1f560acf29e62b8392bee04e215ff74067ac793403830836bbbd2a0a268b1ae88cb5db809169eb69a78e526b9ac77db8b8779db57426634d48e19eea8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71d0425f37f7f65d1fe43573f44353c6
SHA1 90704b96d655e8fdae72a17979cc7325e7886b81
SHA256 e620b4a9eca12dadcbb22d646dc0f582c4cf635fa68f93d496df9dc547530af5
SHA512 d673aa6ccf8c01f14bb972ef6b542bb395853353db3d0aebea82841defe9a9eec9848b42f0d8e425dfc507ab26439b8d927e87a6e1d48d4136c9e9747b847d94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2056cae59f75a825a10779ad34c2da8a
SHA1 b80ce1021d5ff013dc815a4efeb59256bb61b045
SHA256 d28390286b35eb04ff00f1fe84504b6bdadb589ee0a02f30f2e38ca50a8f5e79
SHA512 1a8973d837221094cb428a262f9d1b89484c07b95b848b8dfd1b246f5c09dd4815c5d79440aa14d2549df52004f207ba360e6f70096ac7645b2a8e27c5cf7be5

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:34

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DownLite.exe"

Signatures

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DownLite.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3940 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\DownLite.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3940 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\DownLite.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 3836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 3836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4728 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 4680 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3984 wrote to memory of 1336 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DownLite.exe

"C:\Users\Admin\AppData\Local\Temp\DownLite.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.java.com/getjava/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff98c7e46f8,0x7ff98c7e4708,0x7ff98c7e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,16266441577130478474,18095191261334960619,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.java.com udp
GB 2.18.27.94:80 www.java.com tcp
GB 2.18.27.94:80 www.java.com tcp
US 8.8.8.8:53 94.27.18.2.in-addr.arpa udp
GB 2.18.27.94:443 www.java.com tcp
GB 2.18.27.94:443 www.java.com tcp
US 8.8.8.8:53 dc.oracleinfinity.io udp
US 8.8.8.8:53 c.oracleinfinity.io udp
US 8.8.8.8:53 www.oracle.com udp
GB 2.18.27.95:443 c.oracleinfinity.io tcp
GB 147.154.230.206:443 dc.oracleinfinity.io tcp
US 8.8.8.8:53 static.ocecdn.oraclecloud.com udp
GB 184.26.44.77:443 www.oracle.com tcp
GB 104.103.246.175:443 static.ocecdn.oraclecloud.com tcp
US 8.8.8.8:53 95.27.18.2.in-addr.arpa udp
US 8.8.8.8:53 s.go-mpulse.net udp
GB 184.26.44.174:443 s.go-mpulse.net tcp
GB 184.26.44.77:443 www.oracle.com tcp
GB 184.26.44.77:443 www.oracle.com tcp
GB 2.18.27.95:443 c.oracleinfinity.io tcp
GB 184.26.44.77:443 www.oracle.com tcp
GB 184.26.44.77:443 www.oracle.com tcp
US 8.8.8.8:53 206.230.154.147.in-addr.arpa udp
US 8.8.8.8:53 77.44.26.184.in-addr.arpa udp
US 8.8.8.8:53 175.246.103.104.in-addr.arpa udp
US 8.8.8.8:53 174.44.26.184.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 consent.trustarc.com udp
DE 108.157.4.99:443 consent.trustarc.com tcp
US 8.8.8.8:53 99.4.157.108.in-addr.arpa udp
DE 108.157.4.99:443 consent.trustarc.com tcp
US 8.8.8.8:53 26.4.157.108.in-addr.arpa udp
US 8.8.8.8:53 consent-pref.trustarc.com udp
DE 18.154.63.86:443 consent-pref.trustarc.com tcp
US 8.8.8.8:53 consent-st.trustarc.com udp
DE 18.66.248.102:443 consent-st.trustarc.com tcp
US 8.8.8.8:53 86.63.154.18.in-addr.arpa udp
US 8.8.8.8:53 102.248.66.18.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 104.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

memory/3940-0-0x0000000002400000-0x0000000002401000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 34d2c4f40f47672ecdf6f66fea242f4a
SHA1 4bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256 b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA512 50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

\??\pipe\LOCAL\crashpad_3984_NLNDLWUZWPXNICES

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8749e21d9d0a17dac32d5aa2027f7a75
SHA1 a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256 915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512 c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 17df4f3a6f4eb9aff24bee223e564abd
SHA1 b49226f36a0a6f619c1c6fe488b89a3e8c89e13b
SHA256 db53039940f5912cbb57103dbb118e80db5274681d9fb25a14c12f1433ddf77a
SHA512 6735475a6f279ef7d91fd0b86c0651f5839014f401f464be9917b502088377c79d5022bc598fcb09f25827aecd46b962e6d8f04578034a4d0459cfbe8aa92ac6

memory/3940-32-0x0000000002400000-0x0000000002401000-memory.dmp

memory/3940-31-0x0000000000400000-0x000000000062F000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 42f50ab55d67a8aec533cd8848be2204
SHA1 07f28ae65dd717838832df1a8e2f493511a458b1
SHA256 160085ae703be76b660ccc6d8e0a58500f3a79c24086d3daae39088b22843509
SHA512 b31fe79169bebd7caa00eb587ff4550fe3e4c99bdd2ab74b268bb5b4c341411a56cf65f7355a533b53ecdf4a3535f567561d15a93c5f05940ae7fcee5d50c6dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c263edc2ef76c98b665a79e8af3270ec
SHA1 408af22d7b0257fe1e0f7609dba10a648dfc1a0f
SHA256 24f9b962298c35b887b9e579b98623c3cad4001c1d38a63ce83dc8e3ef93aa8e
SHA512 45b476b4d20597d5b3c3dc8e343e00f23ebb6ee28567b14d500845934ecd4bcbe0101f03532765da7973b87c636a4a02ea59a233d0d6a1ec0957c69bfd9d06aa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 caede4976772475f9d0d2146dc5961a5
SHA1 590144ded2cdcbc6c88b91100e26a8f14b8aa897
SHA256 5b2c4ead63e25b67f5abfa50ff79dde170409bc3946221bda980d42a3ca9cde0
SHA512 e104064bfebcc3b764fc849b592f74435798326f93cd639dbffcb9d9e69176a6f22dbf41652d8a538d328d4980c4c420cd109544d4e42a69f8e3f65461664fa3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 cb9fc229bc5eae8dee60c6c9cbbdd608
SHA1 8abfa98810ea02e65562581c91f117a736917bbf
SHA256 68307cb85c8ab75c415d6dee3f59f6a4a70b584abf69cab143a59e1770b6042f
SHA512 f5232a0cedd911539d87d173c3961a95ffed20f6aa40b41f6af64945ad57b944a22df51f3d3cf33578edc43b0a80d90bead09efa937de90c8703ceafcba7c728

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win7-20240903-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\manifest.json C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\ = "CrossriderApp0035382" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311531182}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\hosts\hosts-codedownloader.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-bg.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\Installer.log C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil64.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil.dll C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-buttonutil64.dll C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts.ico C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-bho.dll C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\background.html C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
File created C:\Program Files (x86)\hosts\hosts-helper.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\hosts\hosts-bg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\RunDll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\RunDll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\hosts\hosts-codedownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f} C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4} C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65} C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppName = "hosts-helper.exe" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634} C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppName = "hosts-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\Policy = "1" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppName = "hosts-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f5e5d7ae-983a-4685-bb91-e780660a2f7e} C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\AppName = "hosts-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66195f65-c2cc-432c-babc-19fb4d5480e4}\AppName = "hosts-bg.exe" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{35c60f99-ae77-4499-a9ce-90b8ac96ac65}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f01086c0-e8dc-4079-b146-52755d5b5634}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1f265c0f-b457-431c-b860-178ae338792f}\AppPath = "C:\\Program Files (x86)\\hosts" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\hosts-bg.exe = "8000" C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\ = "CrossriderApp0035382" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\ProgID\ = "CrossriderApp0035382.BHO.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID\ = "CrossriderApp0035382.Sandbox.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\ = "CrossriderApp0035382 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ = "ISandBox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\ = "CrossriderApp0035382.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox.1\CLSID\ = "{22222222-2222-2222-2222-220322532282}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer\ = "CrossriderApp0035382" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\hosts" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\ = "ICrossriderBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.Sandbox\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\InprocServer32\ = "C:\\Program Files (x86)\\hosts\\hosts-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0035382.BHO\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib\ = "{44444444-4444-4444-4444-440344534482}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311531182}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322532282}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344534482}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355535582} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366536682}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355535582}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A
N/A N/A C:\Windows\SysWOW64\RunDll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Windows\SysWOW64\RunDll32.exe
PID 2536 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe
PID 2536 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe
PID 2536 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe
PID 2536 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe
PID 2536 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe
PID 2536 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe
PID 2536 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe
PID 2628 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe
PID 2628 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe
PID 2628 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe
PID 2628 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe
PID 2628 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe
PID 2628 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe
PID 2628 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe
PID 2820 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2080 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2080 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2080 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2444 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2444 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2444 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe
PID 2820 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\76093511e47066096d20a881a960b433_JaffaCakes118.exe"

C:\Windows\SysWOW64\RunDll32.exe

RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 2536,0335B568980546179F1B97EA3D61CA11,619FBD8A30D64455947AE2C7AD7F925A,2D8F34B5D60F427D898E693B9E9D0A5F

C:\Windows\SysWOW64\RunDll32.exe

RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\OCSetupHlp.dll",_OCPID974OpenCandy2@16 2536,77E5F59F864048429292FC661D8ECDC4,3C9E69623C2245C384B95456025C4DFA,2D8F34B5D60F427D898E693B9E9D0A5F

C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe

C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe

C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe

"C:\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\CookieDbIndex.bat

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "INSERT INTO Databases (origin, name, description, estimated_size) VALUES('chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0','crossrider_cookies_35382','Crossrider Cookies Store',50 * 1024 * 1024);"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\CookieDbIndex.bat

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db" "SELECT id FROM Databases WHERE name = 'crossrider_cookies_35382' LIMIT 1"

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallerParams','{\"value\" : { \"source_id\" : \"0\", \"sub_id\" : \"0\", \"uzid\" : \"0\" } }','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallationTime','{\"value\" : 1730064811}','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO cookies (name,value,expires) values('InstallationThankYouPage','{\"value\" : false}','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO internaldb (name,value,expires) values('InstallerIdentifiers','{\"value\" : { \"installer_bic\" : \"064A3653DDBA436CAE5998D01F93EF8BIE\", \"installer_verifier\" : \"12b812e04d5086cf282a3a378e89d5f4\" } }','2111-09-11 21:16:31');"

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\scs.exe "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_nnlomafmkpiclmaaekkhpoecnclldmaa_0\3" "REPLACE INTO internaldb (name,value,expires) values('chrome_enabled','{\"value\" : true}','2111-09-11 21:16:31');"

C:\Program Files (x86)\hosts\hosts-codedownloader.exe

"C:\Program Files (x86)\hosts\hosts-codedownloader.exe" /installapp /agentregpath='hosts' /appid=35382 /srcid='0' /subid='0' /zdata='0' /bic=064A3653DDBA436CAE5998D01F93EF8BIE /verifier=12b812e04d5086cf282a3a378e89d5f4 /installerversion=1_27_153 /installerfullversion=1.27.153.7 /installationtime=1730064811 /statsdomain=http://stats.weservstats.com /errorsdomain=http://errors.weservstats.com /codedownloaddomain=http://app-static.crossrider.com /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log'

C:\Program Files (x86)\hosts\hosts-helper.exe

"C:\Program Files (x86)\hosts\hosts-helper.exe" /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log'

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\hosts\hosts-bho.dll"

C:\Program Files (x86)\hosts\hosts-bg.exe

"C:\Program Files (x86)\hosts\hosts-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log'

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.opencandy.com udp
US 8.8.8.8:53 api.opencandy.com udp
US 8.8.8.8:53 downlite.net udp
US 172.98.192.37:80 downlite.net tcp
US 8.8.8.8:53 v2.irismediainc.com udp
US 172.98.192.37:80 downlite.net tcp
US 8.8.8.8:53 stats.weservstats.com udp
US 8.8.8.8:53 app-static.crossrider.com udp
US 8.8.8.8:53 errors.weservstats.com udp

Files

\Users\Admin\AppData\Local\Temp\nso87C7.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nso87C7.tmp\OCSetupHlp.dll

MD5 9e4e850e12f2f4f869b2491dbbb17ceb
SHA1 bd89581a89604b601c817ea680c2a224b46737f8
SHA256 4d1ad8aaf803660ee9d989a8a9cb3129397a97e4d0fa4b50ba7fb700b9d4d7b6
SHA512 9285472e8ed2e685dce357383842356e3011110a09f2e66b2a34ee6bf3c7457dbba834256d8b9b240c20666ec38b62d0ebd7fe4dec1fd9cbb812adc36ad724f5

memory/1864-14-0x0000000000190000-0x0000000000191000-memory.dmp

memory/1144-17-0x0000000000200000-0x0000000000201000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso87C7.tmp\InstallerStuff.dll

MD5 bcbacda49fb2c44fee595cbc82036242
SHA1 a33356996c7b3e032693bb373bbde2acf72cc469
SHA256 77ecf5896f33bbc002f00dd4742c00a20981bbc618563e49f34ea8f740da890d
SHA512 18c44cedb9b0fbd301ad9cbe5ebafe66d16380090baa41697f3224a5086313c61420730e8a5050fa7de31e2f47dbd21259d6758cf84557e0c34b901a93c4ddc0

\Users\Admin\AppData\Local\Temp\nso87C7.tmp\nsJSON.dll

MD5 292aa9f95a7f081625056c497078159a
SHA1 72076f3eb146ab7ea2b3dd0ef6a63c06f86d64f1
SHA256 18f2b2f20c65a022a1c8aaf776b4c9be6c193b73c2079d9d65d56b802fcadfb5
SHA512 87f83c3bbcfedd98364b5d0209f912e66c72d43eb887438ad9735c078e6d1f6ea12566a75f0b652602bbd9f0608ce7148dc1703821f2ab6b366f061b8a58d910

memory/2536-28-0x0000000073EA0000-0x0000000073EAA000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso87C7.tmp\nsDialogs.dll

MD5 c10e04dd4ad4277d5adc951bb331c777
SHA1 b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256 e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512 853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

\Users\Admin\AppData\Local\Temp\nso87C7.tmp\setup_cr.exe

MD5 ca023e6709a718a4917df6f3f2c8bbf7
SHA1 f9b989d482562796c8c95d124e52bd9e4643d32e
SHA256 6df47c38d9452173201fb301c3a7225221d4cafeaf07a3edc1dae9ea6135b86d
SHA512 23e813a6ac93394102b9448a3b5b3e41cf7eeb7eb683edaaf56335bd4ff3ac45884c6e0e10c7c0a9d8cd7f472e58b45e57d32fdcac819659c22e3dd547ae4d03

\Users\Admin\AppData\Local\Temp\nsoA556.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

\Users\Admin\AppData\Local\Temp\nsoA556.tmp\InstallerUtils.dll

MD5 156e15e3dfcc2f2ff2dbcc373fc11f53
SHA1 5ff52623dedd7efefac54dbd31b5d1bdf0f3e799
SHA256 4618571c27877641f83bfb312aa5b66ebe4a8954dc898ce4e640aeaea4dc0693
SHA512 d4930f0b49dae5386a92124b954d1b82921e07da2a9ffd9d854f6ab6f03473e591d3b67f0aa8ea19f83b480be705d829797e62825fda50ffb074bd4734b265b4

\Users\Admin\AppData\Local\Temp\nsoA556.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

\Users\Admin\AppData\Local\Temp\nsoA556.tmp\Hnaadvbqr.exe

MD5 e92df8cf0d3988c26395a390df381024
SHA1 2ad26f6562595e6e16cf2bb468213099a7583aa1
SHA256 c4927a7adb6f99589eced1b4a6e4056f52245ae3015b927d70622121270be5e1
SHA512 add4d7c17bebed385024360d59f72e86d6af8bfa275f8e76aedc57a318828b2482ea3b1d272a98bca337b4bcf79aa6621cf1e00efea406f92e04c1d7a56f098f

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\nsislog.dll

MD5 e47100b70748fc790ffe6299cdf7ef2d
SHA1 ad2a9cd5f7c39121926b7c131816e7ba85aeead2
SHA256 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144
SHA512 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

memory/2820-79-0x00000000004B0000-0x00000000004C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log

MD5 2aade1db6fa9a619eecc6f15ee93ed1d
SHA1 1c5085959dff58078b5447ac68481aaab24b5008
SHA256 8e3a7f686ed6922320d92f0bd365eb6b91f2f97eb000070cc67013f4b9ca5777
SHA512 a000dcb0d01d85cac97777f6a01c0af8932ec1b3c60c9ca3f0c63d4570b814ae8d1e915a955fcde2d8c7aa658466219752d8212dfefb0bf15d39090a6a0a5ad2

memory/1864-193-0x0000000000190000-0x0000000000191000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log

MD5 416a85023798baef3f80344a7401fae5
SHA1 b3dbba9dccef51de5d36a0a2fe26a1e59179634c
SHA256 634e44c76e71f5102db18e28371030909107f7ff6b111ec367a602d55de20a5b
SHA512 0bb5bc8ba3049e77c8f037fb516872d15d65cb2fa87d79c0ff39f90f83347d375fb783bd523d6358bd062e87806653c6c05a83e63d7791c1e45c6d716f04b547

memory/2820-268-0x00000000004B0000-0x00000000004B9000-memory.dmp

memory/1144-267-0x0000000000200000-0x0000000000201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log

MD5 88c338bf944d8e20ec513f9b8ea514a6
SHA1 b3c42f05549c649bb0eb241f78862e542f26036e
SHA256 1eb103a68c378906deb81cd058045bbaca0a5c8285e5cf10e5fcdde55a921e56
SHA512 48c0bf2c4b87e3004b27a2984860576e8212dd71eac604113fbd69ab97c835d3db4fed8abbd713d76130ffbabed8d9da0a543af7ca3c740c1ee6a075f518dc7f

\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log

MD5 1d8ed9b89fe6772d4cfeedd0358edd73
SHA1 f36d00e85b1dd19e9593b4a2ce64dcf670d35aa8
SHA256 9ec16df66924b7d09db16c7d535babf438d2cd4d11dc9c42e5f54b1be2a281ed
SHA512 9480c40fda41802f376f1540fb95d526f15e8978a5012c4b087bf1944ffb00fb690033820c0b37780640eec8eb49e5b3242023a7e6445b25bb0d35f38228dc29

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp

MD5 db6715bdf5b2b5e760fff6f6879f20db
SHA1 aad3fbb9da6c7515c4bbb8602362bc03f6b0a4c9
SHA256 65952c10bd4d364832de4e56c2e161501758e88fea26df146e3a28d42b30f44f
SHA512 e3842ebea66e4f696db71b57ff6b4714d68acdaa8b38e5a83b3f4e086c45a08a5a47f917a6688ddaa21de97e7b91e157edeefaf4366833ceb286f390e093be64

memory/2820-422-0x0000000003D10000-0x0000000003D3D000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnlomafmkpiclmaaekkhpoecnclldmaa\1.23.3_0\icons\icon16.png

MD5 5fabc6d76523647c4b48b51fbd517408
SHA1 4d009569658443968cbca3516949c9632cbd25ae
SHA256 e17f7fa24d6ecd81bc2abb172a0c1eeceff830867ea45728eb93918eeb4c607a
SHA512 a6720e4ff1a68074e76d3d744bd45584f76c4b209a6b3badc82361dbb30b19ff1c5aeb30276b9ff991f3069e37716134400ae2fd85b209590db5a2e0ef3f2bde

memory/2820-518-0x00000000005B0000-0x00000000005C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\CRNSISPlugins.dll

MD5 e95a1945663079496ac8f6374bf08d44
SHA1 b4b35eae891b2e06b1f559b12587b6ca54c3e82c
SHA256 d22c4dba24a3fe2fee0e5e22bb1744b8b11e8e3dd4190267a9086c9efb514537
SHA512 e4140888236bc2759e09941c51f8f97be2a73ab996c60e4dc6e25a61d8e59f613f90fc9bb8c073ed0d463c0f91951fd04f20d272ec5383fd0ad2d5450abbc972

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\CookieDbIndex.bat

MD5 986cff55f4882532b426067f811d3c7b
SHA1 1b70a21835aab5c9c5d942d7f549c91dfd347ccd
SHA256 7a05a2f992edf572e7d6571359620958f9dfd48af674228bf719a319f3ccabd1
SHA512 ffbc95d67339e5e049d0d45e5744403b254794f66f02cc254685e91b2cd288cc8df79eacba3e58ec656934c9fdd3d62534f402c53a04567a6ff4f16bfec6360d

memory/2152-558-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\ExecDos.dll

MD5 ebcf9f71d804abab3c2e5ce4c17dc22e
SHA1 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765
SHA256 d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993
SHA512 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1

C:\Users\Admin\AppData\Local\Temp\hostsInstaller_1730064811.log

MD5 d38899fa5fde95065ae38410076285e0
SHA1 7c183199d495d68f2f6906a702e5e00da9dc1df6
SHA256 7061de1c9b359adc13b233348f41dcd06cc62ad64f05e48acee0423e656b8d71
SHA512 8b9cba45747ba325130154d774afb5b5a8232acf543d87c9faa2243c406f7b95e7119c05fc973e3f5e911f73679b4c03c53747323fa0fef9f9c3c27ce704d6fd

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp

MD5 8ee8dfabbedf837a740ed2d1f19d6768
SHA1 f9462110b9623b63116387a3be9cf146845538c5
SHA256 01fcc24c1d9d68fcb99b7bccc254e660d4f01c6d0f5bf37af3ac0626912ae9d1
SHA512 8b6b802ecd54be30bb1ba9907912d81de174c4fc8470533e9cf5380cdfcda1c62a4893ab75108a598508791e540b92d592a36757ca6e3f9e66d479162b929c74

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\ZipDLL.dll

MD5 2dc35ddcabcb2b24919b9afae4ec3091
SHA1 9eeed33c3abc656353a7ebd1c66af38cccadd939
SHA256 6bbeb39747f1526752980d4dbec2fe2c7347f3cc983a79c92561b92fe472e7a1
SHA512 0ccac336924f684da1f73db2dd230a0c932c5b4115ae1fa0e708b9db5e39d2a07dc54dac8d95881a42069cbb2c2886e880cdad715deda83c0de38757a0f6a901

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\extensionCode\pageCode.js

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon48.png

MD5 12e783f1b55f54b719444e958d0f654e
SHA1 b147828f4af4fb86da89b0219ea7ff2da1d84a1c
SHA256 8b1bc99525aaa27b37216beda75ae7b457e0d8792b91506a736e7415f67788f1
SHA512 c44bb389bda5dba024c57cd4601c3dd5fe35a992c973eabd63aba4e8fb1e221e31ae06ad6e459b6c808f469fa14163722a11acc0624f43d797e5377e5e4486f6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\button5.png

MD5 8b1eb9cb80417ec0022d278a44ab1dc7
SHA1 c49eb73f79e70b8ed96d91ef62f0bc344e41219a
SHA256 e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6
SHA512 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.Admin\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\icon128.png

MD5 68447a995095517de966faaaa441320d
SHA1 4229b0c045b7bfd1546cdc1f4e38c68135326fba
SHA256 f4223da0667e669eedaf4878678dae1637dec401ff7bde29dd56b8d1fc4e8d3c
SHA512 f52164a45b182c10bd36dd9fe34e5c047e8d55b6e86eaf4726efa40ef159ef6f586066b1660f45b2c6bd987f8ca90d0039e857e066db209837d9aaa1e8defe65

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\install.rdf

MD5 d9714eb9c7ca8d6f12da011cb85a91b9
SHA1 083b561967c9354264d1eea9fb5c7e0bbe41e81b
SHA256 167c43e0790c97ce7d1c76969c37a8e314016b22ec5d10effabb7bc17d5c6499
SHA512 70cd919b42e7b7462261f1a46277786f92152ee3d9d07b021b7c44980e72051c2fce60a5488a192be87941a22f6563b9f5e475ec3510e097ebcea28ce1aebd44

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\locale\en-US\translations.dtd

MD5 aae23d78c89bb64103e8d668bff80223
SHA1 c0903224a450ec3b506ede665b2fd8624f94aaf6
SHA256 10762cb296f01536427e6592d4c79b08ac48b1c45d12e7b36aabcdd3c1bd299f
SHA512 79101b2fcaf52733b9f29607f15c4679c6ebb9edbe9caa44b3e138333737b5b1302aad9e78a788601b9d8c8e7355fc85e02b2d5f8b00c32cafe0d54a5c7b6d1e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\defaults\preferences\prefs.js

MD5 260967b62a302147d44c771cdc3d2c9b
SHA1 fb83a8ccd8facac7c9edba98f6ce04274de8e903
SHA256 86cc451482895a5969813477f72812ae03fe462c7a11fb6f106d67905565f5ae
SHA512 18ca7c6d42fd4fa8f63f66df11b1f6c543c23420e11aa754d272a96e58a6665f7ebfe02d208cc3f92726998d4cecfa23ebf39a0e6ddd897b4196fd6a6172a84b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome.manifest

MD5 ba60b7b3decd2b1e30e55e4301e20de4
SHA1 61ee703b552a8826fe1086ecc5abee4d45bd92c8
SHA256 05c4744db6cacb64b25a23eff0c748ac24e6fb74e2791341cb26e154861e598b
SHA512 8893279ca4f4dc3ac4f4c91da402a759663b2aa3a5e2ac779be03fb3a242054d80c951c4d103faaa02abf103bf58d173fc50c417b0505cc918190fd718280fbf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\dialog.js

MD5 deab4dc957c13108352c4f014b242353
SHA1 bc63ae0c5744a1ad67821937873d1829ed64bb06
SHA256 caf871b1b90ce840acddd2cf04237dff5d3a992dce765a3996f630c669bd728c
SHA512 d1c59e171fc40e531e2a70542688d0c6d300e2cb9b68bef7b88d5ad35c985e6b1773c437a746215dc63eae185307441f804ea265ac98ea842cb0caf58056e784

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.xul

MD5 275186e0a6d4ddabbf8bc8d1b00add5e
SHA1 e4b57588e9be7de99e4b057801977f3614bcbf9f
SHA256 9a36a603d325f00e102539ec8a5409b1b65318145fdadf70bdb8a429af471fd2
SHA512 d06d14889c105e5440232ddebc2bddea8061f6e040fd35a46c4a1858d6fd60d4397729160f7de0400c3cb556419fe6b3272b5ec20368a6cb0f68fe1589ea2e39

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\background.html

MD5 fb162e226ced64d0b4d6e53ed9f82eb9
SHA1 2b1d6ab496785d96ddcfc712a942a0d1de8ef018
SHA256 3f20ea55cdb879a1babf8ac3372e2cba7bd21586017e7e22dd49050cb1d03140
SHA512 864650849cdab6609f2219960e04ba33a1878bda8b76c326d08fb5ad5410b2a54e9c84c5c1a22efaba832e16e549fc2a7f59421b65db9f9566fc7c118f44daf0

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\search_dialog.xul

MD5 68e04f0a85d4cb05c54f268e5e59fdc9
SHA1 2a465323fb0d697226d481be9c599f94d62fd150
SHA256 d61aae08a32e9987caf41d35bad06f2a2cee4bc094bafca7afec0648a2edd1d6
SHA512 2853de596d4a669fc6e13646524646277a74743c81077f1ae6ed40d1972ee621a1e7522b1a017b55c1cc578831503b864020d26d1d992c1aba33afa4d34d5c9a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\baseObject.js

MD5 aaba4db5965550fa33599a2888151785
SHA1 fb472dd90e55164f05774d9778e97a644ed2628d
SHA256 b0e6494d211fdfc5b0eb3f6668ccbdfd8f99d065440e4c60776e32e1b574ff44
SHA512 19d805ec4989b4e9eff4c855c4ae871dc81346f801392e06229d0e359f96e16e05108e0ff4c6207f9fb72c40a9e6aa9aef4069c7c730bd02c316b8f4d597914f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\main.js

MD5 a5be5ea81e0b1653d3fa31600a0a36e0
SHA1 dacb7a24b99dfb9dd4541b00e4241db7df7a219d
SHA256 ae4b7f033e53b8887c054e25fa6d3e7d754e2c97011632940685c84011e478f4
SHA512 39c69767688b0e483844b3b03a849a5075e2ae520559c15570b4509db1d125c2db43e7465193d57b9b7773c543c1e7c3dcf9247a402da7c8f0d87790226799c3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api.js

MD5 311200eb1ab011b88c0e9545a4d2d049
SHA1 d22bf13518c77d46e45d556adf6244a251ccd3a1
SHA256 6e8e5a4e707c5a0b8146387b44c66cdbd33a6e48c985e3800f9dced605f69545
SHA512 bca612da6341a485b4fdfd02197f02347b30e2b7cd0a23ebabdae6140de827af205afe59c62ab50749880593358e59a238d627523ba1fc81fe08cbee54553939

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\browser.xul

MD5 a82c0de0f37da22a6e07ff2077e8f318
SHA1 ae361ae3f52c2f7240c6275a6c40166796107c30
SHA256 d0ef8d510db101253558497c1ebb21410da1f44653d59362cca22e55b5025172
SHA512 c3e8917e8f3eccbd9e2580edf7c009010aa76446d92f8cbf073b4072e483187b413580ae91d51abaeb7f8eb6eb8c01bf914c4119a1ba1878222ec03bce542bff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\options.js

MD5 80297932a5645e651b2bc05c65cb8cf6
SHA1 dfb36a890b134fc09bb003c583f93c978e717f7c
SHA256 12bdfbb75c0b57ed66756b12d52a8538ca83eae7f5c5c3574af3f24a0d38a78d
SHA512 f5e97c10ce845990601e0d1889bc6173888a971297792cf85d10f6fd77428c445f81fff56af0576bd365abb22583d43dbaad3cf958e01596bd904b72f893a275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\xhr.js

MD5 b4a678cc9885730cd03de0d100bdcc25
SHA1 b0771a929a9624c256b45124e6f0c999707380e8
SHA256 9cf418b2562821adfc68368a469d843e7dee0f0d087a45866c0d8279c52fcb29
SHA512 9caa0eaf2eb874d683c41f37265232630168983969e2a64dc666add6a4c3c5e82aa316489f7a3b383da5fc52efa4ea705eeeca39528c1c1c7b9dc01058e3189d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reloadObserver.js

MD5 0587e06fa0fb578c220245ddb95f7411
SHA1 52df8780d25418d6fb90725c9816080e01bc5024
SHA256 9ed7606361daf6580e6ad953e7c60e33ab4dfb0e07087c577aa4c9475276ed4f
SHA512 0a1ffc4cc91ba10c0998f7f574ae1f5a9f2010b4ab62610d780ff0ad72078f9d610a1bf906e5e8270d6ef68b9cc3d439a333757ab7e9fc32609cf2bec4271b78

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\searchSettings.js

MD5 b1d1b15628eeab4bd8ef82bea8b9110f
SHA1 845cbc7fc818ed1879cd3f53535fb1a0c951e2fd
SHA256 594d3976d286423db7a94be62ad9bbc5ca9d5144fb94c7f061f4a2e14e5b82f5
SHA512 6900766534d55f79c75fc53a7acd156ae4d53a336ef79ad8d8fb2b2be45c92233458fdfe971f0502b27e83848b35892ef58851b3b39e90aee1ae52fbf337f159

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\pluginsManager.js

MD5 a92e9ce9e1e0ad01baa684c419ebbb8f
SHA1 850271a386aff13b2d2f16d3e70778cc8a655519
SHA256 a00e24fe9cfbbba7fb75c930449d86250c96644755fa3c78324fd7aa3eb04f9a
SHA512 469819873a662072279265323d2c5585137958387599bbd10c11a12c0e924b71232f23714b3e8f1690d6cfd1d27fd772d11a4cd3ef8afd94db9a7eecc228cb17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\prefs.js

MD5 e7ae2f5a14532b1b645d14bc04e4a12f
SHA1 592ba96aa9d7e448fe67e92228442f9312c1ae32
SHA256 6b97194d415ded6da5abcec8566073bc3714d2915ab48b2f96e4b5ca72043b67
SHA512 08cdc93db5de34e288449096f7c960a4a788ca73b436e2769a108fd2a479e59f26d79605d19422e73d67ed623a63952ce8103c166e68bac2ac78bae03192db10

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\registry.js

MD5 769dbc56827458c72b7ad8098c91e7f7
SHA1 e8dbd8c650c6e35e064bee32e93200f713ea94d8
SHA256 2ff6758a857e848cc6d30ddc02d18000cc062048b1df0b9ab59e9b9cd08107c5
SHA512 36fb166d5f74cd17a79338192e67fbc1ae18cb68a9c0422513f1560d6c1b3d357e6a940a1cf5128fe4cf64dd199aa5c4bb7689d70e6887dd7fef01cc7f3d58aa

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\console.js

MD5 9844f60e1179aea762ef53ec0d542fa3
SHA1 25cb21241d80f8ed03dbdb1b3c1d6d487415acf0
SHA256 dc619581ed2a7ef130c5bc780ce0c18bff78ca27ce98a0689bf3178b2b2967a5
SHA512 d40b6f2b59bb32dde9309bc9533052559b17786afa899de5682f2f3322492fbc583323e84cc98cbdcf2f46d1b6767e71fdddd68dd9eb695c4d304de33836fed9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\updateManager.js

MD5 9fc11c16a573da4dba7764fc111a50cc
SHA1 4035d7a0a8383e1b93d64fc161e3274d5f428ae3
SHA256 5250fe36cd0617f8497a8f2da1003fbfebe97b01f26f030728a26d33a438fbd7
SHA512 060cc213c87cb7f86809f8d533d677171f798e5a32519f0467e4ee2605319210e87b666c784d49e490326595d482fc37ca840ced537e0b4161ebef4abd99301f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\delegate.js

MD5 eec92acbcfa9d28b43b64aecc9e6c1ee
SHA1 d4253a3cd8810d575e1100c58f088d70e063889f
SHA256 1f3b9ab2bad072151166127c9bb92405e031ad8afdfe2f9dd5ebde86ccc0236f
SHA512 62f3856a5c2c5e408e68f2f4266a86c9f49411e92190d9e865144ebcae0907a401f2ee808bc7a8cb135504997a6afc71b7f7e85ff18c68175dde88b0e1b67b93

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\consts.js

MD5 ef2e8bca169a0e83e6e1a1daaee07c4e
SHA1 a78279e9bd75e866a18f36cafdc4e4385d88610d
SHA256 2f39c546d790606df3c1885603984d2bfc94965222b48f6eed74447552114673
SHA512 7e86e8447570714ad1975617c159208d217132857775e465d12f9bd7902b7e65757c621841e7822db142ff045ec6a8ddd07767b92a845e3d3627e0acdf94b672

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\progressListenerObserver.js

MD5 3e9a68cfaeb26b1bf7b39037a5670d38
SHA1 b6633a830be19b218af576417d0fec7ab5dff435
SHA256 96474c2cef1c5bc83df3d8bfc19d4853968925ea981b0a5c09b160fc15b59f18
SHA512 d5b85a1df2e678e70d50ab5e7cf1e84707288b8ad80327c9eb9f65b2c803378268adf3f44a43078080092acfa26611b0dced54c754ef0bcded03fdc3fd902e17

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\reports.js

MD5 60fd9774d8bb9d6eac945da719e68428
SHA1 6f04d94ad0c566f23f432d3457e8116c0f97c119
SHA256 0c4cc49edbd5ba2c99efb98fcba81d1390f87d1c6a7a749f0bec4bbf2adf0e2a
SHA512 20b7fc3a33eaa5042370965c2540fc5041ee3d188c912608e7d6c8d0632993c51dfd2b4a53e2b4ce1f02ba7b2874e228e968780aecf4db6b6f7c71eccc5935c1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\installer.js

MD5 fd3f295f1c17b33d7a80103564a7f221
SHA1 0d67ce68dd98f31c3c8c2152a23aab11b6a3fe28
SHA256 cb89a5f1f1d1bf601c8e257562287e5011cb982dab2a673658eb9c6f9065a9bb
SHA512 d499507d6b98a7247739d8083048317a133e625d57c650c1993395f753c9ed95c832dc792609b9d632cad007f142021c4ff0c1882b2ccbbcee4b70ad985bad1f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\httpObserver.js

MD5 d84f78673765cd850eb1600fa60bfeb1
SHA1 bbf3b8f1a8c03b4733b326b9a36d02bb55902620
SHA256 dcb0ee2e8733c03f33347148eee0c60d910c0bf511c75c959b0e46eb9afcb915
SHA512 8714f8df6b813bc4d6ed78a1cb6697f2aea3525c3c48961b7e4feee2b43a601e137899fe88804b451c3d104a9d9d405a1daf82b7a510cf8bf7f1f38c22e94af6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\IDBWrapper.js

MD5 44bd338a01fc265a1f48feb6109cffd3
SHA1 21a16911d1a82b1ad847b7a9c94f95127eefca60
SHA256 4c2e7321e1db1e55ac0d22934c916467d45767c85a65843b942891f983102da6
SHA512 9039535ed0910662afb0148598e3326bc50641887e4dd8907734cf0d1093655ee3c481c0d2f7a5581e5846cac804e1c10c33b896f78895c858076b2c605569c5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\requestObject.js

MD5 58bb6d11d1eaf46767cc60de67cd9454
SHA1 d7c575929c2d14b8cc155879069fab443c44eb3a
SHA256 4b5d3e7c0a686c55dfdf2348533a6aa8ac2a768bad01673bbee717a92dce44b1
SHA512 41d1262f1b515f6990ba0ac41d446230d49873ecd90df6d14d6ecbf767a5aa923d2ee9405ef9cf0c96a9c323a1da125d84fb7c26bb1a19a02a8b05a01e725be3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\uninstallObserver.js

MD5 1f7e4557cc0450b1b59f088534a972a9
SHA1 09ddb030e2634dc6cb6dc8bb99b035e35fb20dbd
SHA256 430d1975bfbdc7f878e442a0c8f9cf9d0a3a1c3a5752b5b13e226e11b2ba6aec
SHA512 078ec9639458bec7b7de1c399693b9004d9e6eb354dc130c65aa8cd2c3e78325f44388024c931e8135c90e92a3f82641ef8d2bd3f45c1beff75147377bcabafb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\core\utils.js

MD5 7f67b1f11066759f19de77335aa9e162
SHA1 5c689fbf820dded68beb78a0695569ea6b7a9e5d
SHA256 89e7e4c46c456bf2464a0997d864baa564da84eaf59306b153c38e08d643a00d
SHA512 7460af03a7360682481a8673a13cd675d88a52a5d565d8a84e379015b3355ef5e7e94e75c53047a7f3993478014aef457e85b6cba606b6af41ed3f7a434e676d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\request.js

MD5 7188f8b638a00a897acf7d6db9381c8b
SHA1 8394559d7791715741cf8f1dadebe7b7ad15132b
SHA256 306b1301a4f737d7a7995168a969bc730f26857a39949fcd4899d1dd0a6a3f9d
SHA512 dd950176cbe599602b660b767c1a85fac866b00d5b025886efc01d3e488e7b4e5392da3ac4b73956d753c102ac297373e0834022ffa06f0bfad07c78c6c833cf

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\message.js

MD5 8a07017e0756e912aa9fe2fa7f722456
SHA1 ecd41edeea92e2e00f2b518afb1410bce30792bb
SHA256 1501c3e6e1b668a191ace44009710e603d9f036e3d4dc405654162f65674a953
SHA512 4e3ec3e61114b67a3c42c968c1a88afbb0b5d1119f98140991147e644463e7226cb2d7db17bdd6980ca206f6ee559e2fe775a009ec93f29fdcd1b9955b713123

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxNotifications.js

MD5 2cbb07727f1ad5480752694ba113854a
SHA1 19c82a1dfcd0e7a8bc442ce22ef268d699b9e674
SHA256 db1a27b86d4a1848cc0e8c5f1887ece15ebab250bcb025d1e0aa2d3c029d9b40
SHA512 9ad1b14c3febc6c74474680c7b6c02d8294f7f996940d4ca0d448cabcf2fe7f15249aae5fc67184c49d4a82bc236690f85403746932ca6df4e93197f209f1291

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefoxOmnibox.js

MD5 aee13ba60482e203c4bfc871339b624d
SHA1 a8c42a0844cdc5f5cd7ec7ac033c7fcd24ca96ba
SHA256 cb043a814632118b25b305ca6cb0abffa1e10a502df054f2a17554bedc299913
SHA512 06b3938eaf16459456704e8edc12171786954f707fe166820ca4fffa35c9e8724c82dcbdb88a5f0b24d842df40c041d6acec7ca10f4e85fe5d83b59132dae544

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dbManager.js

MD5 780b66c8196bd869af8eac63d695d9c9
SHA1 c02d465ce06fdc40e8adba0e463fa3b609fdf56a
SHA256 aa61b53209da3e4ac51c69326d7d31168cd14e34808d8c71784e804aa970e486
SHA512 54b8e3adff18652cdcd84a5759125d061e50a0f074ceac89a31085bb31096308244824e24980330b5c9d0f68c52a95eb85b3bb2ac36e3e5645bf2e3fcce71b70

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\background.js

MD5 bad0c2449513ec4ed9ca13eb55591aa8
SHA1 e260a391e5dc7913ab3b81fe8da607ee43fe45df
SHA256 e5be4a0d2f826fc13592de1befcab2b639ba169b3c74069f604dd16739d20779
SHA512 a545d32c4ea9313a30bca7c773f8c9bca640d98cf73fe1487c248ccf79d0cd916b122a0d71e5699343692cbcd3c326f10a0708a7263e794d720023d2c4e5c0eb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\webRequest.js

MD5 e8a80e409e40199e3309e5d37dfcfeaf
SHA1 b74ce420ab51a7af5901cc2f17b3ba19ff2b847d
SHA256 8e82ea7cc89b91e80b5bd904ae3efbc34daac4374f1c6089fa25ea9ec2ece2a9
SHA512 4e7ea24f342197675e1d1cebc61c16aa3173bda6e96d616d97f8978b180d601294c1c82f845209b1f5b3ce07dc71c1e75c042fa476415960cbc8b7017e6bb316

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\firefox.js

MD5 a1cd4406d7577807a698aa3995046192
SHA1 7dc6d8b6718d8e3042f9b959939eb6d1caaa4b57
SHA256 5609ed9fa249166c8dafe7eda048c86486574445244d2dc509fb617b87b5d7f7
SHA512 9421c2310562ad6f9026d7f710ebcfc4957022219e972db3424b5f926a7a5d5e85b8cc5d0ba47c0214d2514f90f31b32ed77f887b8279fd5e90b74ffc341768c

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\fileManager.js

MD5 81b4df8409320d739e70e9d4cc4c62f7
SHA1 7f5e03ed6d5d66fb9a0d052761731d302df21eca
SHA256 7817b095e2386aa2aeafd5a7c3b0b974efaab2c71f0b3833ad344ff6c80d1e08
SHA512 c0839504db12cc2dafcc127cb0d25e29f1393c3d7b7ef6a74d0e5ea9656b9894cb7e7cd8c244eca2fa00b1df414bfd0638c22d37cb1049ed51e905a966417720

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\contextMenu.js

MD5 ce25d7dd7d7e34dc5b92d25861cc2947
SHA1 6f459ce6d14b57ff1f9b5f9271a29a7dab59f880
SHA256 d8a5816494dbfc96b41c00913f4d61c30ebafd454b5d7107d3a876a2dd1dffe5
SHA512 cb0f3b6c24da47fb8458726db4341973e3f6ea5f738988b4c084493605662a0de330304f3369db0454a48ba28e9381de5be2a23e3f70508b19dff61fa9f81d7a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\asyncDB.js

MD5 e377ef2d419e60d15b422da1295201fe
SHA1 92a1fea50dbb2853c5ebd95a039a5fe9ffae8c02
SHA256 3277002ef6bf5cce6c956dc6e0638c6091351b723023bb63416e60a034c1fe17
SHA512 cdca13250f0658cb17d217d8b898ed41ef256b8829c1e572ea2b966e6d5c23ef122274c192147e3387b4503a4230543eed4dc34a30fd14dbdb6d93b745b88626

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\browserAction.js

MD5 60c4db63eb127e64d24f7e9f37e43efb
SHA1 dc799abfd6c2538d0b37e85936e9b80bac02badd
SHA256 c11736a73ed063efe51c0fe49d236bdf7d3972ede001763749ed060b1b028581
SHA512 0dc9a6349d4bdbb533b4018ad768ba26051477f50a7f47d3ddf0b921bb05176d4133a2ddac2f1013df468f130aeb27b950fba9e6a8367ce206d8e8c8f67bc0e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\dom_bg.js

MD5 de002d9604f09b376b85159f289b75a3
SHA1 5c6c4ad17b914118f387863ee5982aa52ac34c09
SHA256 0e095eb0e16c343ac812721b182bea66498fca55ecd899ab5eabf9e0afb792ce
SHA512 a29071d597111b9e7335e5dacbaa19715950fe03072eebdbc15bcdd2021958d30522e4af00fa711059d0337f4af4c4913664ecf266177607228138c4cc2157dd

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\chrome\content\api\tabs.js

MD5 7d8a2c2c54f33325eb30368eba7564df
SHA1 72e5449067e0c85242cb28c8069cabd547908d50
SHA256 34989f3c20224496c68d06621e67628d3ab4dd5d558175593710c395369121ed
SHA512 22ff2058cbd8d2eba7ab56f6990ff9184932cd4aea29431a971d5e947758a69438d041b1cf19b5fa1942e83b14c6df54e625d3c69a03149dab40ee407134fc91

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\popup.html

MD5 cbdf4e688981915b95a3741d0c9d5fe5
SHA1 e4f188d057f04638443eab966002e7feb63bf61a
SHA256 af11066b4ff2a7d851cf85d97b655557240303c89b1615ca0ad753926af3602c
SHA512 9f83da8364e3722ff64c6feda4bd7acea4bebacce479c01e7be7ac59298c0907a3a6041c8724f40e8fdbd1056cb80e1450676eff581b1227b22a4747083ec451

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\update.css

MD5 36ab40a4b899472d25a3c872a7f9ad4d
SHA1 c29870d67d954de9c5c32783ce28cf7f77d13ec1
SHA256 4f0795bbc78e195bd977cf489c05543ac86bd10f95fbb83a5db11b17c7d7f664
SHA512 9626a7a269acebdbcacd31f4d5e4f70e57873cbd8eb4e835b2d4b52c863fecf6a27f474124b508a0fed8614bc6e3165be38b0930c7a96326afbb23343cca514a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\skin.css

MD5 4bd957ddde2bb2e537060afcf55f1f72
SHA1 d0d4cb8fd259bde8e297fb68326c6a4a1bd6ce4c
SHA256 f3fee308a875a4d7cca4cea16ce548dd652df2f10ea8dd2d1aa11c2ecdef4b0f
SHA512 cd103bb1b7f1ccb2a483d8c974150d5b32676616d325564615da1e09b024e821a0df4a1e815f8b7dc7a6fd0eb1e70156bb186bd452040070036f96958e869d92

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\extensions\05dd836e-2cbd-4204-9ff3-2f8a8665967d@a8876730-fb0c-4057-a2fc-f9c09d438e81.com\skin\panelarrow-up.png

MD5 752c26453dc2fc989ed46f5920328edb
SHA1 a064ccc009ee36c20dd5a8aeeab1a335bf82bda2
SHA256 758210b28ee3298facef83c81272ef4121f337392ef5bdd44e47222ec4966beb
SHA512 b0c3c58ca36e7dfa9988bd68a0432b01db020420e3406653ae8521cded576ebedb9169df93f1a9dc461831a52c0297854fdd23554aca551d246de01d17db80d1

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp

MD5 e2236f4df18b245c4428767eb7001bd8
SHA1 d091f299951ca8ade7bf03ae84ca3ca1ab2307b2
SHA256 3d98372fbac56338b06f24aeac4f52cbbcc4977d2f7d86adfb92cfc1a9d5607e
SHA512 8ba872180043d2596328cad3c9eb7681d184a6574ce6fa8c7baef346ad9098a0b8d13b20a6df212fa2590caa750cf71cec99e4dfd62984fc3396d56a29c9aa84

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp

MD5 c1d9bb540a5cf2b8e335311c247bff92
SHA1 ac2dc11f16ec71ffbeee862afd72a41787e6980d
SHA256 3a55b9b3d0226e810e33dea581f40cd634580bffc6edc591e67df7153851296a
SHA512 d623827fe626447745be95e16599a6b6d8ed8862ae30c80226f9434c5f3293f3422f0fb260f417519a50514f97334bf25a84ed51ab9e43f76faa12556e8d36af

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp

MD5 6aeaaedda1949deb7c40b09ddfd7ed09
SHA1 f3d35bd0edb197845b96cfda824c96cf77e79a7f
SHA256 31804e16546b6b9d914698c6c5cb4bea0c0a8ba27bcd085abd5a83119f23f0bc
SHA512 24b3ac81b4634c5e81fb6ab28e727d2b99220cc67c5ba84bfd486f4276a10dfc57335a6cd929f513134d04023beac4afe9c152c2f2d2226eab733a54ee558d17

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp

MD5 c0228d656c703062404bb811a2358892
SHA1 fa32581dfd2ffb9386c8bed36bbca46363d5c996
SHA256 d39b7e365de13379ca4dd4f2bcb0f83b4d85c383912cdcdc7fda23ae1b083ea2
SHA512 3f5b07348e5268e1504b394b9c5aeb6aaea6d3c774b3550d170c341fb05f41ce990e973b1f6955175f021335acf540bc813804cd35735fda332b967aae91118f

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp

MD5 96217006f4ed6618c41c27ddc4410a91
SHA1 391cf6d7bd90476855736cb1cc22d857c56e2e0b
SHA256 9983f6e68b7243a97b90ff21e64c30bf28831e7dbfbd1ee5afde4f806a74448f
SHA512 fecd7ceb050c98db247a238c519d28ba42fc62db98b25b30c80b97db153a9ff638bcdd4a1dec71addb8b78cd8250972639e935662c27edf0e8f84f6af2c10938

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp

MD5 062e75c38b5a59b16287e1ee8685cd44
SHA1 3da718a9ae0058642d6b8e3da6e86dd9a527ddc5
SHA256 b7ac77b1c6bba01fcca0790ccc77196ed7ab013c95613c40b302055d96693f6e
SHA512 52dcb232a7658c2ada16d5ead10d28f0c489b8c21284f84b1ed3833f2bd5c6d7be59ec37d7c479bf04d70c86fe369278c3b4ba5bdf7d577cecdf0e4c487f6154

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp

MD5 8b017e3910261cb0c9d914a6abac5382
SHA1 5e4400946760495478a72bd89bba9e88b37af589
SHA256 05e97c8a5777931dbd1a14b3e08c7aab07e4c285b87efa1dae8bce0c4092dbf0
SHA512 2014033ec17b776583f7c760b58d669763bdb89919657a7fc0240059dcda93f36ef5029379ce1a78dacc15f8a893294f2a06d7341fc4647b4e8736f53f5e096e

C:\Users\Admin\AppData\Local\Temp\nsjA97B.tmp\temp_file_after.tmp

MD5 db6aedf26ae4c857fc7580611882669a
SHA1 fa53a2e301e3bf024159c99e40c8d72e86bc68b9
SHA256 043263a827d1399a6a67c283c2dae406a399f7e976a95c897b20a5d70cefcd06
SHA512 3872d09b4082cb284875ae318dd2d7fc87d074ea21dceef5fdb7165f47bf4fb67223ff20fcb344a483d624d2198ef189f8916bb42ed64a2643c877a22d7727a6

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

137s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 4776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2340 wrote to memory of 4776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2340 wrote to memory of 4776 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4776 -ip 4776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:34

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4032 wrote to memory of 3808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4032 wrote to memory of 3808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4032 wrote to memory of 3808 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3808 -ip 3808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.179.89.13.in-addr.arpa udp

Files

memory/3808-0-0x0000000075680000-0x000000007568A000-memory.dmp

memory/3808-2-0x0000000075680000-0x000000007568A000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-27 21:31

Reported

2024-10-27 21:35

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 548 -ip 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

N/A