Analysis Overview
SHA256
6bb7ad593e18dc28620551328658c9d986ac7afe44aaf5cacb140fa6fe686bca
Threat Level: Known bad
The file 4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Gozi
Unsigned PE
Program crash
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-17 10:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-17 10:50
Reported
2024-05-17 10:53
Platform
win7-20240508-en
Max time kernel
140s
Max time network
120s
Command Line
Signatures
Gozi
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2480 wrote to memory of 292 | N/A | C:\Users\Admin\AppData\Local\Temp\4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2480 wrote to memory of 292 | N/A | C:\Users\Admin\AppData\Local\Temp\4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2480 wrote to memory of 292 | N/A | C:\Users\Admin\AppData\Local\Temp\4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2480 wrote to memory of 292 | N/A | C:\Users\Admin\AppData\Local\Temp\4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 120
Network
Files
memory/2480-0-0x0000000000F10000-0x0000000000FB4000-memory.dmp
memory/2480-1-0x0000000000F10000-0x0000000000FB4000-memory.dmp
memory/2480-2-0x0000000000F75000-0x0000000000F7A000-memory.dmp
memory/2480-3-0x0000000000F10000-0x0000000000FB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-17 10:50
Reported
2024-05-17 10:53
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Gozi
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31107144" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{974636A2-143B-11EF-B541-7AB71B943571} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001d5b14faf460f94697b58b95a53f8d1400000000020000000000106600000001000020000000e6a7bbaa9048e6d8c24b2bb5a677e87dea415bb5d0545eb163300604d8d1cc67000000000e80000000020000200000001178e65855ccdf6b746450c31e25cae0ed795fab635712d043c78c3f8eb99f1f200000006235350ad16efdc677433055caae3e1abd8197a6f4aada81b91f03a33149658640000000c7742adfa581338204c04a1151d2e966a369324560add2afef161d8a9b5ceb6ca312bf8ae3b2f73aca3c42f9bf971d6f86a58f63c4fc3152aae6802dfea1f0c3 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001d5b14faf460f94697b58b95a53f8d14000000000200000000001066000000010000200000006d2142059fcf1796ab4c3a60ef28e9cd34c695a04079467f69abf677b1c4c389000000000e800000000200002000000000a03c313e6e7e5019a61b930ff16c99b53122b16c0fa61b9e23a922c823d28620000000a1073f36f99d93c67dd03883d82c7d455df7d386ee80a0ed6d6911250d5e35b7400000002d297973efbe016ff78524684d5c358c5cc464dd5ff9f76227f9eb1804fd6e655fd47c1aeda7161c652fd938876257fa57abcb6735a234b2b07fe2831934251f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0d3853748a8da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7B808E7A-143B-11EF-B541-7AB71B943571} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50da4a4048a8da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A45BFE02-143B-11EF-B541-7AB71B943571} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\avast.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "820741855" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{5C84F6EF-143B-11EF-B541-7AB71B943571} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001d5b14faf460f94697b58b95a53f8d14000000000200000000001066000000010000200000005ffb2fba63a27dae9f2d37c36bb47d187523c9d9d1349fcb0cb74eb319d65710000000000e8000000002000020000000758094be9d2968293233aca7ae88f2e3e6bc3a27c5e65e28353bc3df97bd3ece200000003d9110fc5b4dd64a180ad8609382e5a00ca63be5291f19a21964ada36dd1daa140000000547066e23db77b8eb361bab95c351c9948263ad09263ca4ffee4e429d420e1b8870a2166ae65e197f0e5107fabcd73b4a570014e007335cb20a2831b4a557e4f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.avast.com\ = "17" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\avast.com\Total = "17" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\MINIE | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8A3EBE07-143B-11EF-B541-7AB71B943571} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "820741855" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e01e705a48a8da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001d5b14faf460f94697b58b95a53f8d140000000002000000000010660000000100002000000093986649d03809f943f91e098912637f23873c44623e81a53742f8fedf84dc4a000000000e8000000002000020000000ab66dadcfd725f7e849a4d24823969a279cf9fecd187852297308e09f0daff3e20000000f0dbab5447d6ee7483d1dada0d855d53bf96379cc5e562e5c62af21a421e74d040000000e6d7cbbe5aa8a9fae93c8db6674f9daff6e2967ae657478017c653afc91c63b6b6357109b26f72116636107713bef44922f39d091052674cd0ed351a9445c455 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4f9fc7ffc48e4051b8eb52a5f113ba1c_JaffaCakes118.exe"
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1044 CREDAT:17410 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:17410 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:17410 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4980 CREDAT:17410 /prefetch:2
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5028 CREDAT:17410 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | microsoft.com | udp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 20.112.250.133:80 | microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| CZ | 2.19.217.218:443 | www.microsoft.com | tcp |
| CZ | 2.19.217.218:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | 133.250.112.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 218.217.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.onestore.ms | udp |
| US | 8.8.8.8:53 | ajax.aspnetcdn.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| NL | 23.51.70.13:443 | assets.onestore.ms | tcp |
| NL | 23.51.70.13:443 | assets.onestore.ms | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | 64.246.107.13.in-addr.arpa | udp |
| US | 152.199.19.160:443 | ajax.aspnetcdn.com | tcp |
| US | 152.199.19.160:443 | ajax.aspnetcdn.com | tcp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.70.51.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avast.com | udp |
| CZ | 104.64.116.3:80 | avast.com | tcp |
| CZ | 104.64.116.3:80 | avast.com | tcp |
| US | 8.8.8.8:53 | www.avast.com | udp |
| CZ | 104.64.116.3:80 | www.avast.com | tcp |
| CZ | 104.64.116.3:80 | www.avast.com | tcp |
| CZ | 104.64.116.3:443 | www.avast.com | tcp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 8.8.8.8:53 | static3.avast.com | udp |
| US | 8.8.8.8:53 | assets.adobedtm.com | udp |
| US | 104.19.178.52:443 | cdn.cookielaw.org | tcp |
| US | 104.19.178.52:443 | cdn.cookielaw.org | tcp |
| CZ | 23.73.141.197:443 | static3.avast.com | tcp |
| CZ | 23.73.141.197:443 | static3.avast.com | tcp |
| CZ | 23.73.141.197:443 | static3.avast.com | tcp |
| CZ | 23.73.141.197:443 | static3.avast.com | tcp |
| CZ | 23.73.141.197:443 | static3.avast.com | tcp |
| CZ | 23.73.141.197:443 | static3.avast.com | tcp |
| SE | 23.34.232.228:443 | assets.adobedtm.com | tcp |
| SE | 23.34.232.228:443 | assets.adobedtm.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.116.64.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.178.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.141.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.232.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dpm.demdex.net | udp |
| US | 8.8.8.8:53 | www.nortonlifelock.com | udp |
| IE | 52.214.218.223:443 | dpm.demdex.net | tcp |
| IE | 52.214.218.223:443 | dpm.demdex.net | tcp |
| CZ | 2.19.216.156:443 | www.nortonlifelock.com | tcp |
| CZ | 2.19.216.156:443 | www.nortonlifelock.com | tcp |
| US | 8.8.8.8:53 | widget.trustpilot.com | udp |
| GB | 54.192.137.4:443 | widget.trustpilot.com | tcp |
| GB | 54.192.137.4:443 | widget.trustpilot.com | tcp |
| US | 8.8.8.8:53 | geolocation.onetrust.com | udp |
| US | 8.8.8.8:53 | symantec.demdex.net | udp |
| US | 8.8.8.8:53 | cm.everesttech.net | udp |
| IE | 18.200.225.135:443 | symantec.demdex.net | tcp |
| IE | 18.200.225.135:443 | symantec.demdex.net | tcp |
| IE | 34.252.79.101:443 | cm.everesttech.net | tcp |
| IE | 34.252.79.101:443 | cm.everesttech.net | tcp |
| US | 104.18.32.137:443 | geolocation.onetrust.com | tcp |
| US | 104.18.32.137:443 | geolocation.onetrust.com | tcp |
| US | 8.8.8.8:53 | static.hotjar.com | udp |
| US | 8.8.8.8:53 | bat.bing.com | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.218.214.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.216.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.137.192.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.32.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.225.200.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.79.252.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.178.204.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.216.138.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.yimg.com | udp |
| US | 8.8.8.8:53 | mstatic.avast.com | udp |
| US | 204.79.197.237:443 | bat.bing.com | tcp |
| US | 204.79.197.237:443 | bat.bing.com | tcp |
| GB | 13.224.245.61:443 | static.hotjar.com | tcp |
| GB | 13.224.245.61:443 | static.hotjar.com | tcp |
| GB | 87.248.114.12:443 | s.yimg.com | tcp |
| GB | 87.248.114.12:443 | s.yimg.com | tcp |
| NL | 20.50.2.44:443 | mstatic.avast.com | tcp |
| NL | 20.50.2.44:443 | mstatic.avast.com | tcp |
| US | 8.8.8.8:53 | connect.facebook.net | udp |
| GB | 163.70.151.21:443 | connect.facebook.net | tcp |
| GB | 163.70.151.21:443 | connect.facebook.net | tcp |
| US | 8.8.8.8:53 | ocsp.r2m03.amazontrust.com | udp |
| GB | 143.204.67.183:80 | ocsp.r2m03.amazontrust.com | tcp |
| US | 8.8.8.8:53 | ocsp.rootca3.amazontrust.com | udp |
| GB | 108.138.216.113:80 | ocsp.rootca3.amazontrust.com | tcp |
| US | 8.8.8.8:53 | script.hotjar.com | udp |
| GB | 18.245.253.99:443 | script.hotjar.com | tcp |
| GB | 18.245.253.99:443 | script.hotjar.com | tcp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.245.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.114.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.2.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.67.204.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.253.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | znb3hblkjhhpwrz9k-gendigital.siteintercept.qualtrics.com | udp |
| US | 104.17.209.240:443 | znb3hblkjhhpwrz9k-gendigital.siteintercept.qualtrics.com | tcp |
| US | 104.17.209.240:443 | znb3hblkjhhpwrz9k-gendigital.siteintercept.qualtrics.com | tcp |
| US | 8.8.8.8:53 | siteintercept.qualtrics.com | udp |
| US | 104.17.208.240:443 | siteintercept.qualtrics.com | tcp |
| US | 104.17.208.240:443 | siteintercept.qualtrics.com | tcp |
| US | 8.8.8.8:53 | 240.209.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.208.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| BE | 2.17.107.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 104.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f4859della.info | udp |
| US | 8.8.8.8:53 | f4859della.info | udp |
| US | 8.8.8.8:53 | z89p68modesta.top | udp |
| US | 8.8.8.8:53 | z89p68modesta.top | udp |
| US | 8.8.8.8:53 | 136.71.105.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g54fz534ci.xyz | udp |
| US | 8.8.8.8:53 | g54fz534ci.xyz | udp |
Files
memory/5052-1-0x0000000000E60000-0x0000000000F04000-memory.dmp
memory/5052-0-0x0000000000E60000-0x0000000000F04000-memory.dmp
memory/5052-3-0x0000000000E60000-0x0000000000F04000-memory.dmp
memory/5052-2-0x0000000000EC5000-0x0000000000ECA000-memory.dmp
memory/5052-4-0x0000000000E40000-0x0000000000E4F000-memory.dmp
memory/5052-50-0x0000000000E60000-0x0000000000F04000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | f646488e081a5c175ce1fb03ba482264 |
| SHA1 | 27f7ff92f2b9808c9b998f87ad5b03057ebab12c |
| SHA256 | e6312e65983df0745340cf492de216be2cf14f34ceba56a53b26a5f196c31f8f |
| SHA512 | 2cf3f2f8b2858a66c1eba71235fa0349c3335af4c18967951e086e9e9c87ba4028b1c1bde4c5657deda07d2f4e0cc2cf7ac5c965d8b3a35aed8f18e2beb5676a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
| MD5 | f93911cedd62ef2e6a51e613c19adef3 |
| SHA1 | eff6d34e9cc51260de019f3f8e4b6c8a0943192c |
| SHA256 | 8a64314bbce79095944fb211a5389bc26a989a58e8850bbd233454e3c94317ce |
| SHA512 | 0f31cbcee7a22452ef62cfd311bb7ab9ba928776d1c6cfa06c515387003f4927e400a775a023bb4fc816f35619543be59129570b67bae03b71a06c1473b550bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | 102c59efafbf6d59da6d256bfdd7a829 |
| SHA1 | 48f9f758805fa34a8356a1386672007d4e1d637f |
| SHA256 | d0d9a1571cbc6bc45de58b4cb30ced39684ee19848ff5ebbc814ac4e9db9d609 |
| SHA512 | f59d0d8ab47a665bd3ec662319ea1ec49e08941823138513e3be24b7c95df780801adffb8749c3bc00657e0f60928db81c8b4307ad7c673c8b514fdf1c8086ab |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
| MD5 | 4773acc1a6adcc68caaa350ce0bc6ee5 |
| SHA1 | 1cb787f9186ee989eb49706b3bb461d72ff0f86e |
| SHA256 | a067cf75414000380c330226be5dbf0989dd7c0f04dffe970cd0c5a2f2afac06 |
| SHA512 | 446c114d55da1ddcd6beb4f645ddfe9b1c935eae4003fd1e5e6cfd8d8ecc1a57a3b2dde14c73c54d6ae16928b8bf78a062cc71a9f53c518e171efd9ed8f93a97 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GO42234Z\favicon[1].ico
| MD5 | be87fd81ff4e82e7ed57b0c8951c66d0 |
| SHA1 | 4a918234d3225b585dffb7b6d587acb3fbb39618 |
| SHA256 | 637b67152dba0b0b33c8aadb38ea7c86b7a12b37366c7183f898c36c222b04fd |
| SHA512 | 87ec908135335b4074d412b04188bf05d00f468400d2837ba2ca1c77440b6f2f15ba648f2a8f42b1301d77df54bf2a00e59416942807ccd90e36f59431638de7 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3qb0obk\imagestore.dat
| MD5 | b04e763b21c19dd2336ec99460895e86 |
| SHA1 | 7a8a3ec2d7f79bcf4e3cd18abbe988f71103be86 |
| SHA256 | 990874c05689a00034e4202118197b452259f752d398008498ddcead60b6333e |
| SHA512 | d9119ec11ff79809ff11f132085d93022c5b1a29cb184780632e10b93a35d87dac478a3ea7b2537965d14de41923784d2a80e86e45daa1a3958430e49d9c9456 |
C:\Users\Admin\AppData\Local\Temp\~DF3BC57508BC4BAEDC.TMP
| MD5 | 6e46041fb31418622ccabe10b2ba5bee |
| SHA1 | f547c8a0457371729def7998d6facb7eb527b047 |
| SHA256 | 0277e65eb5a47deb0d3201289d796523a41e2264256cec00f200e32b9d31d653 |
| SHA512 | 83bc3e81359d8540a0c3a0c48e35e85cb72e8c32ee7a18474662efe5bc659b23ce98a3a38a4e9c1bfd0627847828323676051fd11a960afefaa03501e3f6202c |