Malware Analysis Report

2025-01-18 21:35

Sample ID 240415-lflq2sdd8y
Target f0bcd93fdef5e51a1186585f8a870bf6_JaffaCakes118
SHA256 8542afdaad8d127ed04e434de827844508fb8845106879019799a4789011a86b
Tags
adware persistence stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8542afdaad8d127ed04e434de827844508fb8845106879019799a4789011a86b

Threat Level: Shows suspicious behavior

The file f0bcd93fdef5e51a1186585f8a870bf6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence stealer

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-15 09:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-15 09:28

Reported

2024-04-15 09:31

Platform

win7-20231129-en

Max time kernel

149s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0bcd93fdef5e51a1186585f8a870bf6_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PTFull = "C:\\Windows\\SysWOW64\\PTFull.exe" C:\Windows\SysWOW64\PTFull.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" C:\Windows\SysWOW64\PTFull.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\pk.bin C:\Windows\SysWOW64\PTFull.exe N/A
File created C:\Windows\SysWOW64\pk.bin C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\PTFull.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\PTFullhk.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\PTFullwb.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\inst.dat C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\rinst.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\PTFullwb.dll" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWOW64\\" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWOW64\\PTFullwb.dll" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\PTFull.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0bcd93fdef5e51a1186585f8a870bf6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0bcd93fdef5e51a1186585f8a870bf6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"

C:\Windows\SysWOW64\PTFull.exe

C:\Windows\system32\PTFull.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:25 smtp.aol.com tcp
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:25 smtp.aol.com tcp
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:25 smtp.aol.com tcp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

MD5 fbe4bab53f74d3049ef4b306d4cd8742
SHA1 6504b63908997a71a65997fa31eda4ae4de013e7
SHA256 446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092
SHA512 d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

MD5 2e824bedbedc08ca78f749c14554f0b2
SHA1 29950c8777b07e871fb7173d478ec176164bab8f
SHA256 bc1236396e822ac424d89931aa8467a756fb816fcf432eceee679ee52e3d4db2
SHA512 288385bc64c12bd216d6d93aa103498413567e2246eda9700697f7d700af175058bd9509fab78f77174ecc526ccb1a955761d38024f11c6930fb915d2d95e03c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PTFull.exe

MD5 02514f474dbdf4e0521d3190b8c73a3e
SHA1 6824d1313a400701c82132634cb8004ae65b0673
SHA256 69d2adcf1f56750710023863d3cfa774af02a651fc5ba1f2c686f21f04956f07
SHA512 de1f130ed2e3d88798196f2687a7a12729ff94780ab64a0fb8abf87eb52d834ba3a006e2f444f7903966619774d12129c54ee74802668a0fee85fa191aff1396

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PTFullwb.dll

MD5 77cf4d942cd9b5b4932c994e149e3737
SHA1 c9d8d0fafc6351bd4f7546d6f2377838ccdaca93
SHA256 f2e6aea327ec42a0212ea8929e82b0c82d3c612804a3a81124854eb96ecd4a9e
SHA512 ae65a24f9b840685d2bb74f696e97e13a2bb92e632e059d318fd21e7ef59cd91b7cb39519e899d1f98ed6f240de1a4476095c6ca9b067f76d341ee2c65f020fe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PTFullhk.dll

MD5 6f7a01f691dfdd7b927f6d10b2af07d2
SHA1 4150af6840f839de7d97b3bac7c8d1679ded91dd
SHA256 07d814968160e846bdfa99088b73ddb9184fdac501ed304041c7630e44756b1e
SHA512 37b2c25cba8838e8a63521e81549465c4a45c372d5f30d343ac373e84b8a954602c3bf9229087210ff17962fff25d797f5996df782369adcbbb01aa15983bcd5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

MD5 b4ddcb34687bac5e0ad526e1f70cb2ff
SHA1 d70563efd8497dc60729f7b8c664ea2c3c227e1c
SHA256 16005f8471d3dd20cef1a6186b1e1aa82ed86e4fd12957bb1b5c979693735fe1
SHA512 540da178bd033e595949f2d731547f95e3bb691fbeacd947e85dbbdb4f4bd04a5d1a5c0e44622d5ef811d33747aa8ad2aa8ceee3f2a39cbed118102472d0fd63

\Windows\SysWOW64\PTFull.exe

MD5 1112e89859a0f2b052d5eb1626e25664
SHA1 7864b86a7e0ac3fc28e898d06eefc829e8d3be02
SHA256 92ff08bfffa729b69d6e4e128ee2fa03a1c1f367b168213e907bd3f70d64cb61
SHA512 c45f365ade9829f07605e686d3998e24f39c7b73b97639412191d4fc0fda3bfa1a087669a9a8ba1eb859ff8135c80df730e4709594201cb531b2bc08ececcb9e

C:\Windows\SysWOW64\pk.bin

MD5 0d034f7f28712e86ebcaee75063bd4e4
SHA1 07705feb1406a04056c1fc3e5f504c0aaf398bdf
SHA256 acfbd6dad88b595086284f80946c91992bd8a985ed360840363a1f101c862d8e
SHA512 d46668457dfd06f9d8ac84f29650f4b09bfdd8e6216c0c87d5d9d0f241956947d2df9da601e098b336b09261c6f2fe5883b17f24870124caa6c8bffcfb2fe4ee

C:\Windows\SysWOW64\PTFullhk.dll

MD5 7719e3244553dce7b70a9d1083e291dc
SHA1 d7147a052b19bb08356ba6dea5cc0e6486a0121d
SHA256 6c48b4fe62614ad35aab89b534310024770fbcaa669d50a462f4973feeee926f
SHA512 5ea1aad723e1043028136c943899e5a33e4b58b119c927fb001891facae656277969ec31cd7035680eb5d97e401c22577a082c2cf728e9142a3f0c62d1d99beb

C:\Windows\SysWOW64\PTFullwb.dll

MD5 21d4e01f38b5efd64ad6816fa0b44677
SHA1 5242d2c5b450c773b9fa3ad014a8aba9b7bb206a
SHA256 3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977
SHA512 77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

memory/836-57-0x0000000000400000-0x0000000000413000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-15 09:28

Reported

2024-04-15 09:31

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f0bcd93fdef5e51a1186585f8a870bf6_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f0bcd93fdef5e51a1186585f8a870bf6_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PTFull = "C:\\Windows\\SysWOW64\\PTFull.exe" C:\Windows\SysWOW64\PTFull.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "PK IE Plugin" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\PTFull.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\PTFullwb.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\inst.dat C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\rinst.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File opened for modification C:\Windows\SysWOW64\pk.bin C:\Windows\SysWOW64\PTFull.exe N/A
File created C:\Windows\SysWOW64\pk.bin C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\PTFull.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
File created C:\Windows\SysWOW64\PTFullhk.dll C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\ = "IE Plugin Class" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID\ = "{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID\ = "PK.IE.1" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID\ = "PK.IE" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\ = "BPK IE Plugin Type Library" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1 C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE.1\CLSID C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ = "C:\\Windows\\SysWow64\\PTFullwb.dll" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0 C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32 C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\PTFullwb.dll" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ = "IViewSource" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\ = "IE Class" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ProgID C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CLSID C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\Programmable C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\TypeLib C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0\HELPDIR C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\ = "IE Plugin Class" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\VersionIndependentProgID C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A} C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\TypeLib\ = "{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\PK.IE\CurVer\ = "PK.IE.1" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32 C:\Windows\SysWOW64\PTFull.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E1B2879-88FF-11D3-8D96-D7ACAC95951A}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1E1B286C-88FF-11D3-8D96-D7ACAC95951A}\1.0 C:\Windows\SysWOW64\PTFull.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1E1B2878-88FF-11D3-8D96-D7ACAC95951A}\ProxyStubClsid32 C:\Windows\SysWOW64\PTFull.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A
N/A N/A C:\Windows\SysWOW64\PTFull.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f0bcd93fdef5e51a1186585f8a870bf6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f0bcd93fdef5e51a1186585f8a870bf6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PTFull123.rar"

C:\Windows\SysWOW64\PTFull.exe

C:\Windows\system32\PTFull.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:25 smtp.aol.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:25 smtp.aol.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 smtp.aol.com udp
IE 87.248.97.31:25 smtp.aol.com tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\rinst.exe

MD5 fbe4bab53f74d3049ef4b306d4cd8742
SHA1 6504b63908997a71a65997fa31eda4ae4de013e7
SHA256 446658dd5af649857fff445c600f26cdc1d0c19c86a080f312b89b1890182092
SHA512 d458ab806a3ed3d1494a13ad8a75df874a0b227cb4f337996cb82df3c4a26dc9c4fe48a664b53b052a4af123ea8d89911d9d9493870e6b5992d5621a32260c2f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\inst.dat

MD5 2e824bedbedc08ca78f749c14554f0b2
SHA1 29950c8777b07e871fb7173d478ec176164bab8f
SHA256 bc1236396e822ac424d89931aa8467a756fb816fcf432eceee679ee52e3d4db2
SHA512 288385bc64c12bd216d6d93aa103498413567e2246eda9700697f7d700af175058bd9509fab78f77174ecc526ccb1a955761d38024f11c6930fb915d2d95e03c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PTFull123.rar

MD5 9c76200ac9a9749117a8f1d8395a3248
SHA1 e65d70b07aa7fe261460fc5af68944d9c8a9b0d6
SHA256 3b07c42d66409b470d45e09684b5738e0b6c165900b50d61abf5d38bab09bcec
SHA512 7b66f581d85816a715b136f048aaf15ab9f99510e14021e4e89847c9527716ae667a2945e8a6d8a317220edf7933456e4add8575552db1306bceb93d26d0475d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PTFull.exe

MD5 02514f474dbdf4e0521d3190b8c73a3e
SHA1 6824d1313a400701c82132634cb8004ae65b0673
SHA256 69d2adcf1f56750710023863d3cfa774af02a651fc5ba1f2c686f21f04956f07
SHA512 de1f130ed2e3d88798196f2687a7a12729ff94780ab64a0fb8abf87eb52d834ba3a006e2f444f7903966619774d12129c54ee74802668a0fee85fa191aff1396

C:\Users\Admin\AppData\Local\Temp\RarSFX0\pk.bin

MD5 b4ddcb34687bac5e0ad526e1f70cb2ff
SHA1 d70563efd8497dc60729f7b8c664ea2c3c227e1c
SHA256 16005f8471d3dd20cef1a6186b1e1aa82ed86e4fd12957bb1b5c979693735fe1
SHA512 540da178bd033e595949f2d731547f95e3bb691fbeacd947e85dbbdb4f4bd04a5d1a5c0e44622d5ef811d33747aa8ad2aa8ceee3f2a39cbed118102472d0fd63

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PTFullhk.dll

MD5 6f7a01f691dfdd7b927f6d10b2af07d2
SHA1 4150af6840f839de7d97b3bac7c8d1679ded91dd
SHA256 07d814968160e846bdfa99088b73ddb9184fdac501ed304041c7630e44756b1e
SHA512 37b2c25cba8838e8a63521e81549465c4a45c372d5f30d343ac373e84b8a954602c3bf9229087210ff17962fff25d797f5996df782369adcbbb01aa15983bcd5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PTFullwb.dll

MD5 77cf4d942cd9b5b4932c994e149e3737
SHA1 c9d8d0fafc6351bd4f7546d6f2377838ccdaca93
SHA256 f2e6aea327ec42a0212ea8929e82b0c82d3c612804a3a81124854eb96ecd4a9e
SHA512 ae65a24f9b840685d2bb74f696e97e13a2bb92e632e059d318fd21e7ef59cd91b7cb39519e899d1f98ed6f240de1a4476095c6ca9b067f76d341ee2c65f020fe

C:\Windows\SysWOW64\PTFull.exe

MD5 1112e89859a0f2b052d5eb1626e25664
SHA1 7864b86a7e0ac3fc28e898d06eefc829e8d3be02
SHA256 92ff08bfffa729b69d6e4e128ee2fa03a1c1f367b168213e907bd3f70d64cb61
SHA512 c45f365ade9829f07605e686d3998e24f39c7b73b97639412191d4fc0fda3bfa1a087669a9a8ba1eb859ff8135c80df730e4709594201cb531b2bc08ececcb9e

C:\Windows\SysWOW64\pk.bin

MD5 0d034f7f28712e86ebcaee75063bd4e4
SHA1 07705feb1406a04056c1fc3e5f504c0aaf398bdf
SHA256 acfbd6dad88b595086284f80946c91992bd8a985ed360840363a1f101c862d8e
SHA512 d46668457dfd06f9d8ac84f29650f4b09bfdd8e6216c0c87d5d9d0f241956947d2df9da601e098b336b09261c6f2fe5883b17f24870124caa6c8bffcfb2fe4ee

C:\Windows\SysWOW64\PTFullhk.dll

MD5 7719e3244553dce7b70a9d1083e291dc
SHA1 d7147a052b19bb08356ba6dea5cc0e6486a0121d
SHA256 6c48b4fe62614ad35aab89b534310024770fbcaa669d50a462f4973feeee926f
SHA512 5ea1aad723e1043028136c943899e5a33e4b58b119c927fb001891facae656277969ec31cd7035680eb5d97e401c22577a082c2cf728e9142a3f0c62d1d99beb

C:\Windows\SysWOW64\PTFullwb.dll

MD5 21d4e01f38b5efd64ad6816fa0b44677
SHA1 5242d2c5b450c773b9fa3ad014a8aba9b7bb206a
SHA256 3285df0c25d4b9b6d5ccbe166a3ce3d04f5cb3a0d61c8bf29bf5f953e51b0977
SHA512 77dae941676a56664da89c7670d29ed5402032c8040df1cc231986733c78f0dc56c41f7a276ec9ea8336e3fa2bfc68d3121048e9585bf0d8a98917d799f669b8

memory/4160-46-0x0000000000400000-0x0000000000413000-memory.dmp

memory/4160-48-0x0000000000400000-0x0000000000413000-memory.dmp