Malware Analysis Report

2025-03-14 23:05

Sample ID 240406-3xg8maef5v
Target e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118
SHA256 694982205d44c2fd858b0246f1ca3c68766ff883ff75e342d0de8920df3b05aa
Tags
evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

694982205d44c2fd858b0246f1ca3c68766ff883ff75e342d0de8920df3b05aa

Threat Level: Likely malicious

The file e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion persistence

Sets file to hidden

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies registry class

Modifies Internet Explorer settings

Modifies Internet Explorer start page

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:53

Reported

2024-04-06 23:56

Platform

win7-20240221-en

Max time kernel

152s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inlF402.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~1\INTERN~1\ieframe.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FA69FAA1-F470-11EE-AFBF-6EAD7206CC74} = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418609526" C:\PROGRA~1\INTERN~1\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.82133.com/?o" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\"" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\inlF402.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\PROGRA~1\INTERN~1\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 576 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 576 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 576 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 576 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 576 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 576 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 576 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 576 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 576 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 576 wrote to memory of 640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 576 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 576 wrote to memory of 1600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2244 wrote to memory of 632 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2244 wrote to memory of 632 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2244 wrote to memory of 632 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2244 wrote to memory of 632 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1600 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 1388 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 1496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1600 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1600 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1600 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1600 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1600 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1600 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1600 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1600 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1600 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 3032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat

C:\PROGRA~1\INTERN~1\iexplore.exe

C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133

C:\Windows\SysWOW64\rundll32.exe

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2244 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp

C:\Windows\SysWOW64\rundll32.exe

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf

C:\Windows\SysWOW64\rundll32.exe

rundll32 D:\VolumeDH\inj.dat,MainLoad

C:\Windows\SysWOW64\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Users\Admin\AppData\Local\Temp\inlF402.tmp

C:\Users\Admin\AppData\Local\Temp\inlF402.tmp

C:\Windows\SysWOW64\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E395A7~1.EXE > nul

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlF402.tmp > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 kp.9n9n.net udp
US 8.8.8.8:53 www.cnkankan.com udp
US 156.224.146.42:80 www.cnkankan.com tcp
US 156.224.146.42:80 www.cnkankan.com tcp
US 8.8.8.8:53 jump3.35638.com udp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 sstatic1.histats.com udp
CA 149.56.240.31:80 sstatic1.histats.com tcp
CA 149.56.240.31:80 sstatic1.histats.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 bofangqi.6gg.cn udp
SG 170.33.13.246:80 bofangqi.6gg.cn tcp
US 8.8.8.8:53 mohe.6gg.cn udp
SG 170.33.13.246:8012 mohe.6gg.cn tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.93:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 dl.pipi.cn udp
US 8.8.8.8:53 d.shasanguo.com udp
US 8.8.8.8:53 rsdownload.rising.com.cn udp
RU 163.171.149.73:80 rsdownload.rising.com.cn tcp
CN 182.61.201.94:80 push.zhanzhang.baidu.com tcp
CN 182.61.201.94:80 push.zhanzhang.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
CN 182.61.244.229:80 push.zhanzhang.baidu.com tcp
CN 182.61.244.229:80 push.zhanzhang.baidu.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
US 156.224.146.42:80 www.cnkankan.com tcp
US 156.224.146.42:80 www.cnkankan.com tcp

Files

memory/1220-2-0x0000000000020000-0x0000000000023000-memory.dmp

memory/1220-0-0x00000000003C0000-0x00000000003E7000-memory.dmp

memory/1220-5-0x00000000003C0000-0x00000000003E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

MD5 c40ea8f677b3f48bfb7f4cfc6d3f03ab
SHA1 10b94afd8e6ea98a3c8a955304f9ce660b0c380a
SHA256 b1a31a74cc88d0f8e39aaebf58a724b89391dc3fbac733953790edf8ded8172c
SHA512 409b8a45576bf08e185446b13a512c115df7483ff8ec30ea51ee93ee1ac8153ae3b615650ff69a5d1e41fa0cd57fcdc4c5d03b4b4453431114ac018f48e194d9

C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat

MD5 23962a245f75fe25510051582203aff1
SHA1 20832a3a1179bb2730194d2f7738d41d5d669a43
SHA256 1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512 dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

memory/1220-27-0x00000000004D0000-0x00000000004DF000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\1.bat

MD5 b7c5e3b416b1d1b5541ef44662e1a764
SHA1 8bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256 f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA512 65dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc

C:\Users\Admin\AppData\Roaming\PPLive\1.inf

MD5 34c14b8530e1094e792527f7a474fe77
SHA1 f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256 fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA512 25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

memory/2244-72-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\2.bat

MD5 6b78cb8ced798ca5df5612dd62ce0965
SHA1 5a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf
SHA256 81f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3
SHA512 b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e

C:\Users\Admin\AppData\Roaming\PPLive\4.bat

MD5 0ceba8fcdb795555d8b06d4f44b203e0
SHA1 04605436575b3e7e56d8bda7cc743aadd49d27ca
SHA256 fb266165b28fcd53f59ebb1e4d7c4c26b4af13a94dd3e0022257cea8ca9e679f
SHA512 f364681e84e0c1937a8da49f17789adf04c12b6d7329ef0ac243a8dcc63b7907f608ab58504d852bd1d69d6b6203e50a0448e4cd331870bfecc7686148d3cf7f

C:\Users\Admin\AppData\Roaming\PPLive\2.inf

MD5 ca436f6f187bc049f9271ecdcbf348fa
SHA1 bf8a548071cfc150f7affb802538edf03d281106
SHA256 6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512 d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

\Users\Admin\AppData\Local\Temp\inlF402.tmp

MD5 fca1bbeb2d73c0e92fa09c4605b5d395
SHA1 818ab4cc5a78bd8bdab8c2e55a7233573aba0b69
SHA256 2a665f5748ca58f5df4e6933dde745068ade68f579cb8558ee62f93ce73261ae
SHA512 5c8f64e094724d75f77371d158c351919b2b3dc3e0a35b5ddfd72f4850aadc8bd615ec01a82d6263d75dccb518c39b2dae5fea1827b33b798a2fe28aa1599ede

memory/1220-104-0x00000000003C0000-0x00000000003E7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\FMFFHM9Q\www.cnkankan[1].xml

MD5 520ccdf51029d81d08f0d8d674aab14c
SHA1 a6b7ff5a933a1a16a28b99a49c51eb062947a123
SHA256 5f548eaa1b50ec42878e8440ee6bf9022e6f449972d7a6de6dc70de6314031d9
SHA512 c3eed3cd89577179a92126db3540455664dcfef2e0b6716fbc6cc309901660441149f1229879284263c666156c975ae1a12ef8a8c572a03c4f91808f70cbe85b

C:\Users\Admin\AppData\Local\Temp\CabF4DA.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 749607a59bc0216749640d3c617f4cad
SHA1 7e032314b4a6dea06eb8f104c0a203f00482cce5
SHA256 2e1a00b42a7eb9ce1ede9ec1c9bd31bedbaa0afab6c4e8383833ef46b343a2b0
SHA512 24ed522383c30b2e14d8b9a3c0517a3475667969a4933a7d4c66c913d9a3eab7a3cc315914447f2d94a1af1e2dcf100e50f984714af976276ce95e80db6fe029

C:\Users\Admin\AppData\Local\Temp\TarF4ED.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarF62B.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 ec7248b820bf32bd287c5902ba16bed4
SHA1 fc23cde10c76ce24ec37ce32d526ed3dd364a80d
SHA256 885ffb9eb1982558194bc3446fb3f3e2c4697bb5c40914aa83b5733abcea9e0d
SHA512 2f370c2c1b032e857ed04a227376d2ceeed287b0ae9d764e2a50bee5a035a5543588809ad2ebae8768b935dd1a3ecaca112f225586048e9c5ddbb632fdd5bdd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27f84e1a8bc7cf3cedfb4c3706e7ae8d
SHA1 80fd5f8d69070eb444294bbb2089d5cd8cb171cb
SHA256 592c87aa56d5b365b011d683a71840e4de29fcb03121e4497442571e8267d42c
SHA512 0ae8bf3f042c882f702d6bcb15349709ecd1c8025bc4538d4a2093fafb687e2917b80dfbe3904023f2c169f3fd4b2f7076d5773c783f2cea20eced484d04628a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea7714042b8975e7255bed8bb969652d
SHA1 16a9c60f5fb0251f9ba5189399c01443029910d3
SHA256 993650667ae922ad00e28ede517da8ed3450451cadec5a9f82a713a95576f19d
SHA512 337b41a20db10ea5e12d14830f5459c68f2ed0a562ba0b03f56e357e9a3d905552ca5984f8e7b0cdaf9fcdf06cf82d7956489ef982041e6a24f86ea99a67b7b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06e7325d9c0da0d04a01d844d91f7c9f
SHA1 722d1e2bd4ed9fd10fa6901a9f1903709e093c65
SHA256 1402ec0ce3e14aa01a5eca850042fe5e38b88eebccd43c1a63ed3f7e2e71fc4e
SHA512 d79641aafb4f25371ad3f928a0a7b308c2daf5e5ca250432af293219acfc6ea8e21a7491379194619a274a87cf125f14d4e8e86a2ab67c517e2caee81c360bf9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31bd2d2feabda4fb85a2114f5483ea11
SHA1 b2a272175ef25679314dfaa2ca93122bbbeae7a8
SHA256 fdc396710cf6e981505e377855c0b2a0d36ffaa39e80a966fb8142d7602cf8a7
SHA512 64fbcec5b23ea2c238dccf0b494d5e3764030080aa9fae39a5b33957a10498983e0869179cfebb299d9d793f1ffd257750bdda188e802f431035d37f19c48e3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92828ece8fee13a5a0eda1647e2c9673
SHA1 983f651291f4fe74070e93d01a937cf5d49cca72
SHA256 3d4c43fee9382296f5e41d8b1292be0d51115228c865266d06f1acfcfda1ef14
SHA512 44fa503e5e4d1f899fc8cc78c370ebeff5b9ffa988417478f8390f9c5e746fd1758f4d82c24ef50210f2ef2c34ed232b2660940dcf7fd0ca52e3c7b7b8b25232

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cbaf656e75c6c6fd64de592fb540d53
SHA1 05d74d708e937623fb8d777431557fdc8bf4219d
SHA256 2025b2476d52e05a5034d44ccdf96057ca69da100cb15812fc1876041535f531
SHA512 d85fa3ddf4d886b1d0eb62c2e62778e89d0ead5603230104987635f4a9e4487cec53772f3a1a143af6dcf88bc4d51dca74cc8a5c4344de984dfe98162254750f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 1cd776c51768ddc4587a00d49f466d61
SHA1 6e63bf82293eb462d23ac7204bbe81798a3701a1
SHA256 d1683fda79a2a7043073030a3c31e5c0692babd617ac021c07e0ed20717e4233
SHA512 0e5f5b22be6afdeefdbe14781fdfa685ca78e58d1c283ed279756c0d35c8d292a07f02d23b9520dff48e61d2af283e1060c7cbde6133ffacd998497f30fc6591

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3f4059f54c20908ccf059bf6ced9c7b4
SHA1 5c88c410dbebb811ddbafc27e73a2cc7ed9c8f9b
SHA256 249c470a8c5fa3e9542dfa0ebe7049765ad6872d33d4dc235e3eee4b603a4b17
SHA512 d42375cfccff729a9fa8b7095d18dc0d09535ef8c8a7e643a01b7bb62f78d5a397c15c6c02666b673d9a02b40147b37cf3f27afe9b3665ebfb85c6a456ce4d30

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f3a47ae53e61dde07dea2f6bcc72c3e
SHA1 5d58e7059f4c17aa87e7a02fb14bb1546021fff7
SHA256 d10b7cd3d0d9957c67ff9ec3936e6aaa973f2128b1e7702dad6661b8d9357fa4
SHA512 3413748d8659068a6d0f326085e66b0703b8289b05616fa8b65aff1d621381054b31571c1c4f681f529b3e4d0377feee1f603d225ea1777262f3d30d40a1fc24

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NXAFS242\favicon[1].ico

MD5 7ef1f0a0093460fe46bb691578c07c95
SHA1 2da3ffbbf4737ce4dae9488359de34034d1ebfbd
SHA256 4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c
SHA512 68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jqfjk0y\imagestore.dat

MD5 a359741a2f3c271ef6603e905337cf5a
SHA1 d515425f4d8c460da545c268dcaee1176019985a
SHA256 0ee6bdd1a82d4174ec179952ea4cc3826bf6a063153cd9daa5835f77e9c4c878
SHA512 6ad1a7bfa047df15d2a870f69ebc2879664cd50f15f940b5b71572a669db054065c4a61e24bc5eaaadff5686aa74f676dc88a2f9ca187988591ac9924b684a1d

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:53

Reported

2024-04-06 23:56

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" C:\Windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~1\INTERN~1\ieframe.dll C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\runonce.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\SysWOW64\runonce.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c0da766f7a4aa440a3269a9745c8e181000000000200000000001066000000010000200000003f868040789e24257a9113d579258e8723545b5eb0748144f70e4fb53431c9f1000000000e8000000002000020000000326bf2eaf85c0f63e0a81b01a3359180e82580170f258bbb8fa7373732bbd84f200000004ca15097e50736ad61f198187f5a3bb545090394b2c8d2795637e60f105a8d7540000000c4af9164bc6d471b4efe19b1a107926fe382b3ebd8d79b74d21ca59a693ef97fcc727c8dec49739602d891e92b8d43d0233cb8083872c4d6d237ed5acc424986 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EB0ED8D8-F470-11EE-ABF1-FEFF35FAEE38} = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3221869400" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099005" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419212607" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\DOMStorage\cnkankan.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com\Total = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3220932104" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31099005" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9016c3d67d88da01 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c0da766f7a4aa440a3269a9745c8e181000000000200000000001066000000010000200000009205c16741a4043cb47ca54bb82d66c62f3e656bcfd9689438344563c5e85b83000000000e80000000020000200000008dda4316041de699f2f0ec7bb99e508cee7d12668abce505c5ee6a1a3e500a27200000003b3ecad533670939a5e93f9259b1a8553a0efcab2ec4307dcab23cc25df91e59400000009ed8344d5729f61d4d6d712640358acd25c8f63487859eb69cc5426769be815299b8856f32ef5ce59b995cc0d436131f814e35e39eea78343a22f6909474f3fe C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099005" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3220932104" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\International\CpMRU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\VersionManager C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31099005" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\cnkankan.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\PROGRA~1\INTERN~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3221869400" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.cnkankan.com\ = "63" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b011bcd67d88da01 C:\PROGRA~1\INTERN~1\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" C:\Windows\SysWOW64\reg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\"" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\PROGRA~1\INTERN~1\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4892 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4572 wrote to memory of 3284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3284 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 3284 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cmd.exe C:\PROGRA~1\INTERN~1\iexplore.exe
PID 3284 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3284 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3284 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3284 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3284 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3284 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 4644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 3964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4360 wrote to memory of 2944 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4360 wrote to memory of 2944 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4360 wrote to memory of 2944 N/A C:\PROGRA~1\INTERN~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3656 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp
PID 4892 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp
PID 4892 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp
PID 3656 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3656 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4892 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3656 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3656 wrote to memory of 2184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3656 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3656 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3656 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3656 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3656 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3656 wrote to memory of 116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3656 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3656 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3656 wrote to memory of 216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 116 wrote to memory of 3356 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 116 wrote to memory of 3356 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 116 wrote to memory of 3356 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\runonce.exe
PID 3356 wrote to memory of 3196 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 3356 wrote to memory of 3196 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 3356 wrote to memory of 3196 N/A C:\Windows\SysWOW64\runonce.exe C:\Windows\SysWOW64\grpconv.exe
PID 1348 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp C:\Windows\SysWOW64\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e395a7cfaa1ab47217808666ad8ed4c2_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat

C:\PROGRA~1\INTERN~1\iexplore.exe

C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133

C:\Windows\SysWOW64\rundll32.exe

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f

C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp

C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4360 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\reg.exe

reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f

C:\Windows\SysWOW64\reg.exe

reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\E395A7~1.EXE > nul

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}

C:\Windows\SysWOW64\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp

C:\Windows\SysWOW64\rundll32.exe

rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf

C:\Windows\SysWOW64\rundll32.exe

rundll32 D:\VolumeDH\inj.dat,MainLoad

C:\Windows\SysWOW64\runonce.exe

"C:\Windows\system32\runonce.exe" -r

C:\Windows\SysWOW64\grpconv.exe

"C:\Windows\System32\grpconv.exe" -o

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp > nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 kp.9n9n.net udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 kp.9n9n.net udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 kp.9n9n.net udp
US 8.8.8.8:53 www.cnkankan.com udp
US 8.8.8.8:53 jump3.35638.com udp
US 156.224.146.42:80 www.cnkankan.com tcp
US 156.224.146.42:80 www.cnkankan.com tcp
US 8.8.8.8:53 bofangqi.6gg.cn udp
SG 170.33.13.246:80 bofangqi.6gg.cn tcp
US 8.8.8.8:53 42.146.224.156.in-addr.arpa udp
US 8.8.8.8:53 246.13.33.170.in-addr.arpa udp
US 8.8.8.8:53 push.zhanzhang.baidu.com udp
US 8.8.8.8:53 hm.baidu.com udp
US 8.8.8.8:53 sstatic1.histats.com udp
CA 54.39.128.162:80 sstatic1.histats.com tcp
CA 54.39.128.162:80 sstatic1.histats.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
HK 103.235.46.191:443 hm.baidu.com tcp
US 8.8.8.8:53 mohe.6gg.cn udp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
CN 14.215.182.161:80 push.zhanzhang.baidu.com tcp
SG 170.33.13.246:8012 mohe.6gg.cn tcp
US 8.8.8.8:53 162.128.39.54.in-addr.arpa udp
US 8.8.8.8:53 191.46.235.103.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
CN 39.156.68.163:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 112.34.113.148:80 push.zhanzhang.baidu.com tcp
CN 112.34.113.148:80 push.zhanzhang.baidu.com tcp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
CN 163.177.17.97:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 dl.pipi.cn udp
US 8.8.8.8:53 d.shasanguo.com udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 rsdownload.rising.com.cn udp
RU 163.171.149.73:80 rsdownload.rising.com.cn tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
CN 180.101.212.103:80 push.zhanzhang.baidu.com tcp
US 8.8.8.8:53 73.149.171.163.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/4892-0-0x00000000002F0000-0x0000000000317000-memory.dmp

memory/4892-1-0x0000000000DB0000-0x0000000000DB3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

MD5 c40ea8f677b3f48bfb7f4cfc6d3f03ab
SHA1 10b94afd8e6ea98a3c8a955304f9ce660b0c380a
SHA256 b1a31a74cc88d0f8e39aaebf58a724b89391dc3fbac733953790edf8ded8172c
SHA512 409b8a45576bf08e185446b13a512c115df7483ff8ec30ea51ee93ee1ac8153ae3b615650ff69a5d1e41fa0cd57fcdc4c5d03b4b4453431114ac018f48e194d9

memory/4892-7-0x00000000002F0000-0x0000000000317000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat

MD5 23962a245f75fe25510051582203aff1
SHA1 20832a3a1179bb2730194d2f7738d41d5d669a43
SHA256 1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512 dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

C:\Users\Admin\AppData\Roaming\PPLive\1.bat

MD5 b7c5e3b416b1d1b5541ef44662e1a764
SHA1 8bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256 f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA512 65dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc

memory/4360-52-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\1.inf

MD5 34c14b8530e1094e792527f7a474fe77
SHA1 f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256 fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA512 25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

memory/4360-66-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-68-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-69-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-71-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-70-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-73-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-74-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-75-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-76-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-77-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\2.bat

MD5 6b78cb8ced798ca5df5612dd62ce0965
SHA1 5a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf
SHA256 81f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3
SHA512 b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e

memory/4360-79-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-81-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-83-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-85-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-86-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-88-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-89-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-90-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-92-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-95-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-96-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-97-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-98-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\4.bat

MD5 3b346b1c6cffb8c1e6f984a724f31370
SHA1 20af0274478a094bd8ec1dcc4a04271d0d32ad0f
SHA256 ac769ebae8cca77133b00cf111586808fd08384a37bc5bdb406ccdb6b9610ad3
SHA512 b68a2b749a60fc3c800d7ec87171860020955a0f39a7be6c05c6efb6775310a8dab053cf10ac579c6d82dcf5a5b5c657949985e294eecc453dbbcd10687a3df4

memory/4360-100-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-103-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-104-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\inl84A3.tmp

MD5 508dcb58630adadd629b3a07f8b76699
SHA1 ad434668b45a7b00c7eb215cf8d6d6f2f36fedd5
SHA256 d7dc414a2fc898ade3e212537db41ea109b4a33139c9c41d7ae54b2397e98b3d
SHA512 2fd798860b3c691d10db635151c9a011b17759554a2ad5ef51dfc49807d21e20a38badbb253588609ab64753380eb08bf6c1f120e44d6ecd0549fd1d53ab6767

memory/4360-110-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4892-112-0x0000000000DB0000-0x0000000000DB3000-memory.dmp

memory/4360-115-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-116-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4892-117-0x00000000002F0000-0x0000000000317000-memory.dmp

memory/4360-118-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

C:\Users\Admin\AppData\Roaming\PPLive\2.inf

MD5 ca436f6f187bc049f9271ecdcbf348fa
SHA1 bf8a548071cfc150f7affb802538edf03d281106
SHA256 6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512 d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

memory/4360-120-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-127-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-133-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-135-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-137-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-138-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-136-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-139-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-142-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-174-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-175-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-179-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-178-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

memory/4360-176-0x00007FFC5C810000-0x00007FFC5C87E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 b12111c05887b2afca1de1c62672cfec
SHA1 79b8f9e072b8a9f6209b97e6e395e7d76a09f028
SHA256 0736eecaafdf6ca811969134fafe2e1dd27eba2403ab3ac7765a92127337d2c9
SHA512 e73de8f5bd2330b1d95b88d8dbb6a174e3871c3863e12ecb3c4a9b85d8adadaf39d54f4ac65af48fc584a7a8d0fef21dd7fdfd9ca9505e6ddb9e4a7cc0e98ae2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 47fb6533b90c4095e33d176762480f8d
SHA1 86f81b2ff313ea50c5e76d19984e645ce645a092
SHA256 ca44a87d2796deb0dcff806372c2746fc9f38b06ec36ffa71bba96681d3f7b69
SHA512 b3ded8f66bf033f33fa8f0ec3520415780b2559d47d6268810b7fd09e6a62da22e3a54e44bc9cdb6b4a794e43371ad2257c5855a19e7f2aaaa48131abffc3f39

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFFCC.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RGI21ZAG\favicon[2].ico

MD5 7ef1f0a0093460fe46bb691578c07c95
SHA1 2da3ffbbf4737ce4dae9488359de34034d1ebfbd
SHA256 4c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c
SHA512 68da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\u6vsmf8\imagestore.dat

MD5 156c611526c125bbea88dc25adc1af84
SHA1 6ca656add81fbd581d73179c5ebe016a60852975
SHA256 cca66345cda40ed82990fefcb0021a5a5c6237682a1fd1d8dd55c6308fd61c76
SHA512 4a4754887264962348f7e0d28f4c229682a397a4503e506a0a31a584006fa5a7ccccd461763a7a3725e999e8bd6b1f0f8ea14528ee4d030a156552d4492b0dbb

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XHJKUG17\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee