Malware Analysis Report

2024-11-15 05:27

Sample ID 240613-bqjdkaseqq
Target a3571896f227ac0d53699ad017e64c36_JaffaCakes118
SHA256 94f5aa93be2f4f52ba689eb001e2b4184c4055a0dad24e093c74327307e1f3e1
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

94f5aa93be2f4f52ba689eb001e2b4184c4055a0dad24e093c74327307e1f3e1

Threat Level: Shows suspicious behavior

The file a3571896f227ac0d53699ad017e64c36_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Deletes itself

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies Internet Explorer start page

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 01:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 01:20

Reported

2024-06-13 01:23

Platform

win7-20240611-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\searchlen.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage\searchlen.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8AF3DCFB-4E4C-4149-9A10-CB6DA39AFF94} C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a8076000000000200000000001066000000010000200000009cc32c415abf16678a1a83abbc9c37dbcfacf11f084f294fed3d1eb31912a66d000000000e8000000002000020000000cad94b52c88a45343785f4eca6f5a41f90037abfe4f2bcee30128986193ac2d090000000082e704a74737ebb263b3599e0bc4237ba597edb1d1bc0bc5d9bcf7b3936474a9698b7498cc9b580cb27db44427999497b044d4af9f7b67859316f3d5837ab077eb4a41ac42efcf774bfa0cc50888a91babc239fce0a66a45d8019a64ac9504c356b1d69fb4a2308e9b8a10aea9ed47649226e1e9f9640e68cfabb433aad4209bf468f5af50f1e8f7e92dc4a3d2b63a4400000006b3565fa910b7e0f2c0c6c6f3edbecc113474117c6a5211315d1ff7174ef6a431d86bc88fb652ef598a9fbc111c4fb829d4099e641b0483280131f7a44c0f0f9 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424403526" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8AF3DCFB-4E4C-4149-9A10-CB6DA39AFF94}\DisplayName = "Search" C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8AF3DCFB-4E4C-4149-9A10-CB6DA39AFF94}\URL = "http://search.searchlen.com/s?source=Bing&uid=83c33ebb-b9c1-4ad1-ad69-8f3b71d82b86&uc=20180111&ap=appfocus29&i_id=email__1.30&query={searchTerms}" C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000638c42c9a1a030477a071a64d130b8ab7297936b61484dfda3fb6d6f109fd6a6000000000e8000000002000020000000e1bfa8bb610bde211b5c01c47014440dc80df60b46035afab9e3483fded4bfd42000000049580fd49d968860f45eef2ab0522a995c96e021045016faffe258ce80a006ea40000000e541d18b9318cf2d6d9806aff6511410939d8791dc55c6a65556ad17b932c9690accdeea3645191b0413b1c282bf3c2cde8434b2c4ebe3fcefd1c8a6160b4b4b C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\{8AF3DCFB-4E4C-4149-9A10-CB6DA39AFF94}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2F9060C1-2923-11EF-9684-CE8752B95906} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b6ee0930bdda01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.searchlen.com/?source=Bing&uid=83c33ebb-b9c1-4ad1-ad69-8f3b71d82b86&uc=20180111&ap=appfocus29&i_id=email__1.30" C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2232 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2648 wrote to memory of 2084 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2648 wrote to memory of 2084 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2648 wrote to memory of 2084 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2648 wrote to memory of 2084 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2232 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2232 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2816 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2816 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2816 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://search.searchlen.com/?source=Bing&uid=83c33ebb-b9c1-4ad1-ad69-8f3b71d82b86&uc=20180111&ap=appfocus29&i_id=email__1.30

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c FOR /L %V IN (1,1,10) DO del /F "C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe" >> NUL & PING 1.1.1.1 -n 1 -w 1000 > NUL & IF NOT EXIST "C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe" EXIT

C:\Windows\SysWOW64\PING.EXE

PING 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.searchlen.com udp
US 54.81.175.97:80 search.searchlen.com tcp
US 54.81.175.97:80 search.searchlen.com tcp
US 54.81.175.97:443 search.searchlen.com tcp
US 8.8.8.8:53 ocsp.r2m03.amazontrust.com udp
FR 52.222.193.204:80 ocsp.r2m03.amazontrust.com tcp
US 54.81.175.97:443 search.searchlen.com tcp
US 54.81.175.97:443 search.searchlen.com tcp
US 54.81.175.97:443 search.searchlen.com tcp
US 8.8.8.8:53 kit.fontawesome.com udp
US 54.81.175.97:443 search.searchlen.com tcp
US 54.81.175.97:443 search.searchlen.com tcp
US 8.8.8.8:53 d3ff8olul1r3ot.cloudfront.net udp
US 8.8.8.8:53 dap2y8k6nefku.cloudfront.net udp
US 104.18.40.68:443 kit.fontawesome.com tcp
US 104.18.40.68:443 kit.fontawesome.com tcp
US 3.164.160.116:443 d3ff8olul1r3ot.cloudfront.net tcp
US 3.164.160.116:443 d3ff8olul1r3ot.cloudfront.net tcp
FR 52.222.196.155:443 dap2y8k6nefku.cloudfront.net tcp
FR 52.222.196.155:443 dap2y8k6nefku.cloudfront.net tcp
FR 52.222.196.155:443 dap2y8k6nefku.cloudfront.net tcp
FR 52.222.196.155:443 dap2y8k6nefku.cloudfront.net tcp
US 8.8.8.8:53 imp.searchlen.com udp
US 104.18.40.68:443 kit.fontawesome.com tcp
US 8.8.8.8:53 connect.facebook.net udp
GB 163.70.151.21:443 connect.facebook.net tcp
GB 163.70.151.21:443 connect.facebook.net tcp
US 8.8.8.8:53 imp.onesearch.org udp
US 34.235.17.157:443 imp.onesearch.org tcp
US 34.235.17.157:443 imp.onesearch.org tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
FR 52.222.193.204:80 ocsp.r2m01.amazontrust.com tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.200.3:443 www.google.co.uk tcp
BE 74.125.71.155:443 stats.g.doubleclick.net tcp
US 216.239.32.36:443 region1.analytics.google.com tcp
BE 74.125.71.155:443 stats.g.doubleclick.net tcp
FR 52.222.193.204:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
GB 172.217.16.226:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 internal_banner.tiles.ampfeed.com udp
US 8.8.8.8:53 internal_tiles.tiles.ampfeed.com udp
US 8.8.8.8:53 via.placeholder.com udp
BE 74.125.71.155:443 stats.g.doubleclick.net tcp
BE 104.68.91.91:443 internal_tiles.tiles.ampfeed.com tcp
BE 104.68.91.91:443 internal_tiles.tiles.ampfeed.com tcp
BE 104.68.91.91:443 internal_tiles.tiles.ampfeed.com tcp
BE 104.68.91.91:443 internal_tiles.tiles.ampfeed.com tcp
US 44.194.83.81:443 via.placeholder.com tcp
US 44.194.83.81:443 via.placeholder.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
FR 52.222.193.204:80 ocsp.r2m02.amazontrust.com tcp
FR 52.222.193.204:80 ocsp.r2m02.amazontrust.com tcp
US 8.8.8.8:53 cdn.45tu1c0.com udp
US 34.235.17.157:443 imp.onesearch.org tcp
US 34.235.17.157:443 imp.onesearch.org tcp
US 8.8.8.8:53 imp.mt48.net udp
BE 104.68.83.229:443 imp.mt48.net tcp
BE 104.68.83.229:443 imp.mt48.net tcp
BE 104.68.83.229:443 imp.mt48.net tcp
BE 104.68.83.229:443 imp.mt48.net tcp
BE 104.68.83.229:443 imp.mt48.net tcp
BE 104.68.83.229:443 imp.mt48.net tcp
BE 104.68.83.229:443 imp.mt48.net tcp
BE 104.68.83.229:443 imp.mt48.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab8E4D.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar8E7F.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1151b1faf687b3fad0254688004755f3
SHA1 d68acfc6d267c196df41c930ee55cb8377d95399
SHA256 65811e2e334f9fb2fda68de4c6caa97a422deda680ffe64d6edaaae9ddcfcc35
SHA512 60a2bee009e360d65ecd2933d3cf789af22ea64e929bcfbfba0c81e9eda5e3ab53aaed25f0c7d0d2a914ce8bdcdf0371a25c2d2ba1bf161fa77090c436019a9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d95140d3ed8d1b076a17ffd31321648
SHA1 7893fd296d804fcaefbb6e6c7df0c07c309327a9
SHA256 8c7ff630da4fc55c69712d10f4709964ecc9dae41caf2b97b98132c8ae30631d
SHA512 2337917042c6be780c5b3bbf29390ca006e15918ce256b57e30b4ac92c710f7ae7f709d76c186ddbf8f1be2de365b282cf73a36b4a1eca19584c0b52eb3b2fa2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c8aa4a38ac68ff753937a579d822c91c
SHA1 f8528047bbad2bd8768755c785eaef39a0c988e2
SHA256 7a18902a0c4997ccf9e65a148075b468b65a70d78d31a60adac28a27d6235674
SHA512 b3e84e921f9648d24a6ba8a01f0c543e5eb6b8434a1dc454b543005750a949b91a8753928213f6d80e1f067e32b050b006b2d5592d15c54e1479465359de54f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d3049f1a4b143f13261e38abab901109
SHA1 1810917619ef7b98f40697c12f35a75575665f8f
SHA256 69df6863aa24aedecf107a7e2e0353d592c52a5905cc2833d824c2298733e9d6
SHA512 6af844057e960d6f4165f297891b676492281fc4abdd7346a220b1972124fabe2a9e0f7b3825c9f67c1ed885262cf6fb994c4dcd607c1981005291a240b6e958

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 7d8cbcf0ad912c457a0f2aa7194b63a0
SHA1 3a8305f0f19e324551a1ed44c5a28be84580ee64
SHA256 a992bd88bcfd228d1d14136d2f913811ff99591902c170607cda21109c43214a
SHA512 f147b9b4ea9a181c1b7b24662ecdf7122503c48573625a1d50de627825d403fe11f361ba512e57cc752d93c958b1079deba561628443fa2c345197b2050d4154

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

MD5 d74a2e61f42bcf9313dc432f3a50b263
SHA1 18241a6643e625f4b9e031980cfa87f2a8bf4149
SHA256 4f5c7628efe03b9bacc3e8b2cb92599c9dab8a1c7fe3ed488c699c829f7fc48c
SHA512 460ded7c9c094bac2d595cd644085c283a274be81a6e4eb370d12588f776ae44077bbd2374018705f08a9c49fc66e535671f51122940ed5c9b721f09741da3bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 13513d2d28428f79db93cd2edb3ac2da
SHA1 3748d24632b36530d234b6f067f87c94760f51d7
SHA256 755f480af83faee4d0d64aa914618bf3d7a3b20a13314622a751eed38e9a760c
SHA512 74d0f408c21799cdee397bee7b2b4259a6fa4ae52314baaedf39b46ec49468c0eb606acd729535e036eb020f4bdb8c34d685301c821c243b54cb8df7f5551b5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8274a522f28690964769bcd3ea547f3c
SHA1 285bb7af764739cd584263f5e366c02c70241955
SHA256 509eccf3c9befc4eb9121b9364378aaf9c210ceb415851ab77ebc9900076da75
SHA512 bc2d0a3ac4f4745edbfb3317ef650e18a5dcb34227b2a21316a31c35a594afb2b638160b5fc4531aff5afa99ae4fd6fe9570d41c79d74fc45d6c97d8feff326a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 300150812de8b0ee0dbcc5e91790d110
SHA1 a8e9fd92d0c0b00004e2a324461858f9c56dddc7
SHA256 8aca04a8af9de4e459bec1adf565145d1a82a718b6624f3b47903af35c161911
SHA512 8f34867101346ae8c10f622b527c961e801dd22162d0556ed613fab894ff8675328e21916657191fb89af226396713a2669ffe2e6ebd5796d3d6bc03d01d86b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e990a8c227dca6bb46053cedc4181673
SHA1 47970a52911e4c315323d82e3dd7916dfb115c93
SHA256 dde9c45d6060e179aad1fa6d29dc2ab9d389bc9c896a77627b8bda9550d0d754
SHA512 f8f191d1a952867ae6cc1a0b88733ddb7a8f7675d7630ca5189ec9ba2ec19c8a0f703c628a37c8051648596df88930e84e70ea049d383f5c8d7f854d74d1921f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9210fdd0de7c86d94ed507571e7835b6
SHA1 caae6909158ca36bc98ae0b1813d45cbf998fdec
SHA256 141637f3d46859b50a34c2bfbfdf4d79106a8eb843046de8fb4fb878973f9f0b
SHA512 bfecb639ad7fcb2ffeb358d662c69f91a9bd1507188b7e752eefa17f4181e0706f24b34be21e28f325686d3233913cd5b011dcb5cc88b26914c5fc2c051db371

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3cad76f1fc335fc10d69932a0135a3a
SHA1 5e9a5cc491369cf2648fdbb014877019e22e3998
SHA256 e854112bad184e33124f6906cb20374b2962e3a400394835cfb78959a171bd3f
SHA512 d844152a491be04897f49406027383b07effbd1227f17f2e58fcfa74285b8e1915abd02ae16508de16808ad5960c7a6e5ae74d6ed5daa0371fb2a299e3ad2423

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8f65d39f963116a53bc783412bc639d
SHA1 73cf25b2f34d35d984a3db4ae2c4b7816d2875d0
SHA256 053f60a0a9c8921555bfaf6d622756e9becabe9c59346300d1f28c2826656f2e
SHA512 4dc729deda5897cecf23643649f14fa68c51e676f39acf5a2bcb39e5f0c8219a137a0fd8bd7640fcfece3a65e98ad370a28e1c5b17690a1e8a5b26a3545f5e3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b78bdefe0aee15f2557a11c86e1e7eb
SHA1 13818803b6a3862da8a172b6244727a17f412524
SHA256 3dfa59e1813bfa38820e988de1389e8cbae7986ffa35abdc35211de4b6c1afa1
SHA512 041437bb1fe1e7cd136d1690f7dddb4fbf796dc3565ed0ca55ebc63443295792782baa1dee8371a97735c6745ee07f8c15ca826595b1869674d6af2dfaf6a1d0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1DA4V1UH.txt

MD5 76d6bff78571f80e3bfa5268a232ceed
SHA1 3d702af51de2de18c3ac2499c75b8b1ab5a38bed
SHA256 d62897c9ab16def0f89a79d97f419487e7ede81b344b9be0f88824d5da954b83
SHA512 1184cd1b396186a27ba8271b39adf66aa35582fc13d2edb4050f1b095738e24c756beff636d73f4ff5274f383291b05c16842a78b015792195c69d32043cc61c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa6ce17041c8b20f0b4707fb22508df8
SHA1 25bc8bd784fbd7020831cda710b3e68c3503d2b0
SHA256 ba4dc4c198a44641e96e5b10b184324a732536a1f643ba4539b7ad669505eec8
SHA512 82a18f6d84701649857f3ead765497089713796a864efa57b8eb8e8b213a0594258931e1303c27141993147c6f8ddbd266cebb76963b88e96546efb66e1ff22b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f949da7d136830b2a9d76b8870beb87c
SHA1 9de2508dde7a8d7005a00b0425b5e23955c2d5d0
SHA256 822ebd8e9566a3422e2d4bec3035076f917b44152272e7500e0b1f4c0881bf8d
SHA512 d4da5bf6cb2285337e40088ee671c44c7c3c7019f21c3d44c98cf50f2d9fc12e3c99d35ef9bb6c00caca972fb8170ce57f97c569770c52bfd86d0dd442f848f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23ab5b3d64924bf07a1eb99135764d57
SHA1 87821f845d88d7d195afb80d6e9b9ececae9ab24
SHA256 abe9711b57daebf940d87bc252bc2114964438a243b038152317d48be193c8bb
SHA512 e6ed1615862e92ddd8408fd11e55de650604677a8f0ca62b6cb3e28e178b7bbe257bf8cf376b5bf6d12cf03095e87f7d31be7b402db0832ee8c2379a2cd46f98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 297d57b60361739a69d34164ca8a8e97
SHA1 791627d39a213784c36be2762e9dcec45a818ff3
SHA256 75b10cd1f50e9d33c881d0f98ccb039afb0f9cedc639ab2c1744b4ee4e213b8e
SHA512 86c0a0f7133aca2411abbcae3ff83f1b1b776bdcf7c49ca59f86c420c0370a91b27d2a734756ac584534d03fe2030ff12a3c28869bc1cce8575b1327c6a45810

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 055ec5ca705000659ed5fc3d7999bce0
SHA1 85941370c7518cbce634b2594ff5db571db617da
SHA256 d42af897e04467aedaa308f7ee519338361d8592ffd329d87382195745b15114
SHA512 3e408efb8ea407f40b6f725b569f8c956ca040d4511c32ac72845a03814714a412deb608f5ee44a1ef360e5c27a7de7df44f9510d00385824eddfc15c9ce4e4c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\analytics[1].js

MD5 575b5480531da4d14e7453e2016fe0bc
SHA1 e5c5f3134fe29e60b591c87ea85951f0aea36ee1
SHA256 de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd
SHA512 174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z5LT06Y3\js[2].js

MD5 f3382683c7d7cf219653f658d258a70f
SHA1 1408afe832dba6ce93aa30b257f4d809f6d2622c
SHA256 e8cada8282e26299abb31f3cd56feafad7532382056e5f1e5c94f0ac5c0596c1
SHA512 63bef894a3bb59f20ab01c9faca9434cd3ed38f2d6b4596e787f1e2c0962323b36817fd68bcc04967ee9dd1259d11652d307ee431a78546f56c48503eb902545

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C

MD5 c2f1ff6f6c874ab626be6d8d04918784
SHA1 8541d769fbb9e4eb123ea4f347dfdda0cd300151
SHA256 3a1cacf49b99ba884d581777ef8e6ac3886fb499250d5c8d905bc3082a1e3ccb
SHA512 90642ac6133b8db70c995d4de85babfb6a9b1f9b63387ff9c7924a37582872fdb6283bf15d76d54611527a2c53d98b8447f6808d455f7b1b980fca5055630336

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C

MD5 2a12bb16cf83aafc9e1d6944d9d5b485
SHA1 b76efca2f43110685ef956ebdd60ab234d0f8d8b
SHA256 6fe3faa1a66e0fe57d85320548e3465b74999b4e95ac0d99669629383cb16dba
SHA512 6f3e627fdb5f7db2a8136f229b2e95a093d6aa76af4cd57d47786af170c43c8f41065ff5d3ae27769757b277954dd22ea979fbdb7f158d5de2904d28970d5c0b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A8DU897P\favicon[1].ico

MD5 504432c83a7a355782213f5aa620b13f
SHA1 faba34469d9f116310c066caf098ecf9441147f1
SHA256 df4276e18285a076a1a8060047fbb08e1066db2b9180863ec14a055a0c8e33f1
SHA512 314bb976aea202324fcb2769fdd12711501423170d4c19cd9e45a1d12ccb20e5d288bb19e2d9e8fd876916e799839d0bd51df9955d40a0ca07a2b47c2dbefa9c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\c70czm7\imagestore.dat

MD5 63e192223500ec8e0f57bf6e824f87f3
SHA1 5c6e58314bff6f727363e157b0f5492dfaa7be84
SHA256 3311aa99411583a449a6846dd10822779db669acae6604bf4c1e71b8d43b3140
SHA512 6a9484eb744f65dca3365232e55e56d1cd993672ff20149d0c6921663538d42b9b8d2f8454c6be048ea0c44b350a6eab458de22e685e34de3c6f5863566ffdc0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0167a48690429b0c0e907de5f64c7b32
SHA1 9a0ad78de68d9450c4d9c7c3f19077e3da953949
SHA256 6eb0e6b6fbf9412e9bd331c3a92347f6b6ecac92987b69b8965e241b9ab9f640
SHA512 af6f53a5eb9dd42214f2861c7433f6a2c0715bf7f002623e0de7e690c7581ab88decdff8bfaad2752216bfd3e9277253d4189e0ba9776b53dbc61b971bf7ab4b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 716ea018d495917abc9a12cc0fe44edf
SHA1 c5cbfdbfb04cb8243a557c2c8f06812a2d852f19
SHA256 a779a2159624f6275aac5c2061412e6d8d7c1aa0de05a3bcfffc9299104d6959
SHA512 a7fb22a652efcaa43cbeb5d7abf875f78d0102ef90ab06760c6c068057e8786480ba74c752ff15da9a4bb88fc5c558617a167bad8fcc1b08b73a7967b55f1fa9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 160b95468e276812aac640c8df6e0e54
SHA1 857f7626cb13b010205fcbaaa5febedfdbec7c0f
SHA256 7ccaa4c939a8da0c817d2340230098c5123de180c764fb6017a4f9ff956c1042
SHA512 caabc8d9748df86997438d077b8a99a46fdab524a57372adefa114c5479f3e59dd06033b998ceeaab118106c8c7edba6e18a9fb0733a3bdfe8648a0ead0eef2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5871361a5032ad382d221c5df55b9124
SHA1 340d82978f9d24fae8dbad09971b55e6cd3a9b5a
SHA256 78e1e5cf4940cc20bfed171d18fc6155e23c9de48a1cb1ae6572b5115700883c
SHA512 aedf9af017df6629b94287ebf06ffff29ab0c348ca576d5218512c5faf61f7e7462fae8940c0460c5137cf1605fa0417b1b658b33fa01eaf0a571787aa8bf247

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4c235ecc5b16810109271b3d82c215c
SHA1 c901039fa5ec424619627848e7c69e2ecdcaf1a8
SHA256 b4748677515221606767133544db2a99acf805a3fec79d3958399ae525aacc15
SHA512 1daf9cbcde7db861e65509602043d48413c3295c2abeb04c33bc2b06b7e50322cfa992c32c43da0798ddfaa6792b8910c272c6d7d9072a4cb2c78c25a2a65bcb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 223518499cef26e5a7f767a25fda1934
SHA1 e64a76a2f5e131f5165214f2605bdd044fbc9d96
SHA256 7f9e41b110c72471cde68820fa26b44b47e7d5665ba8765b611d9d7d3bb59c28
SHA512 352f47e97b297d291741131670a495166ce8ca95f81736b4c4b692a02ababef439aeeda6d3f8004e57937db4d32bdae37fcf98b32c6d366017e08a792e58e9be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa3f65a06ce08299341d1e8ca3eb85f3
SHA1 8e6c4a2218b17a2e800e02c9b591ee02046b1987
SHA256 a6bf97721caec2b45d913b5835fc063d90a6b0c4271239912d89207258fbf585
SHA512 c4eb1ced2e437aaca63d5daed165d12e6d28dd880e589e5268ba0049ff91b50c7e3adb6050d7d6f66188cde7e109108b37108e716011ce0806ea2bc114fe756a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6527dfa7f00158566befac663e4207b9
SHA1 7960290c69848e8014547b86784d259b119a09d9
SHA256 3429f6fc6e58daecd18d78d2e3776c0395f45dce5047508183d94da7da4d843e
SHA512 4ab490e7867e829f90c6834a9624cc5d659873d1557f59d4c04cedc7abace6fd63a9dbf70c3107af3fe164f8a4fe6164d7959cd376f8e023ad6a97f35c06dd92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7837f75bd8d98f04e46b83e449f04e26
SHA1 b52f93d284b948c1648a51171f49f89b2a09e54a
SHA256 fff426beb40fc5343f78f4562f4e819d1c608baed1e2491f8bdf27909aa37a68
SHA512 d9df49304948ec215823fb07a070dadad6c79bb442d3eac2b6b70f19a3c6068a24016934b8bf94c464c27758e4c6c542ccf7333d076eeaef248af58a3d319736

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 19b970a225a743e4a076f2802bc11112
SHA1 d3ec0a24e38d926b55a226dee7df4b682cfc7000
SHA256 1bf224989b5606c68cc6dc47dc52d8b35a184469da1c91839583cd089b7a1e19
SHA512 d7c24bec559233d9b706e2c80a2ebfd95a1bdd95c5ee028a13d24283c87b3ea961fab73a8f0dbe32b932dff05f79cafb94ba29230b5c24f02a1cda29a61142a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9eb3d81dc96df10e019f2834eb98f65c
SHA1 6f8ec260f548332ae43e61fa1deae45303d5cedf
SHA256 230c98de8a0c3a48da180dd40f4386df3f132cdc173a759a68f17fc3de9e8650
SHA512 eae8eb33d707ad4c3ad4d38e9feb95d38b73fe3cdbdb85cd43736849d92014f7f17a1ab7391bda7f1054b53b1fccddb5134e7726afddf9d782c6a181c14af006

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b96ed81e253f58171ade403a2f6127be
SHA1 3ed6d2faa829816f59d866f15f499b3a6904d042
SHA256 0090fc0e88564f24f19b92dfc65de3d18e856fe9caf0f541405e797067d8158c
SHA512 797ba2997e10652a8f80cae5f28912d13bc6d1779b9f915391eded2eb004c3aceb82237edcd974c39476c69e9b216e72af6492e71809111ff3c705a029f0ae6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b8e522b62feb42f1363bacfc251b8bd
SHA1 0560283f59c13c30b26471420c20c8c58d490828
SHA256 aaa543efa381a4bb8f99654b1f707a4e50216f96158a347df4d3d9cf01c9492c
SHA512 46138a39a6ff9f9fd282b40e30bd50d07d24691ec614a9eb54b596b4b9743ce4dfb987f2ade29e43decc52694781fe3579e13a6274bdd52dce81ef611cf40c68

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 430738cea3e832b94d2d54d91cef15c0
SHA1 f158478691706d8ef288a47f45df2350b9c00fc3
SHA256 e64a2ec337c6670553025ffcd0183c9ee58c28b1a10503e421ca53dfc9e0a97b
SHA512 9fea1e638afb4c71dccdb0e6d84d3e6999013dab33ee64936284cc91255cf70eaf367770c55607b11da382fa07705aa70478e5c453b6fd1588e919e165dd6d29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a207c6b08df2586535f3d84681bc04fc
SHA1 7c3c2ff1349dcfd9fa5b76c6175545307a3cc65e
SHA256 29a99ebcc35581337782c10a00a7ac97acedfb18bb1ea888180aed78d249d1f8
SHA512 89a1af039f52c421952843fd74261a4b2edcbac23929556322d2985ed774bb1f87c5ba0b4981c68a4d04ef3410b2c6182504a2db67f744240f52db61c87c3c3b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51808ad18ca7a8f5b73cde59036f3165
SHA1 af072272ea8cc8eb3f8ea04c374595cc5b2d8004
SHA256 3a84473fb510e4085f0accf6050a7d69bc6d6009ce75ed5f6b6accc7f2bac290
SHA512 b2e21ab78266fb76e948f4fe2d842f9d673263f22d74bdb329ad0f6202b490adccfdf050020598f47f4f1fb49629d0946e4bf7c794464b598d787f2da60b5a15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4944625fcd67cf8bdcc8647f80601fad
SHA1 061da0de903bcbcc72bc22b1d649166ea7e4378d
SHA256 cfc6ca529a0858dcc53fd4ed63161f99f8d47f6bd0f5fa7b30f49ed2b53dad14
SHA512 abd7b357a57ea20370b61331ce29565229395ca384047f27ea9908863f8eaaa8b1755ab7e4d00277c3eac8cb33417d0e02f927997f8e092727acae9d545358b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9cb2322182d7c09130dd5f8ef167ce8
SHA1 1652c68d54f5a0485d639cd8e8251dfabae1d17b
SHA256 fc181d0b8d831196ed1528cd7ce70aebc87f50906dfc477cb95856e45caf3ad9
SHA512 87f53ce704c70b131a9eaf015829b502a8799f2e62f3052cf51113fb1e2d99abe0d0aa1024744fffa28f22d95fcace54f10e7b629a25c06a765a30993faa48b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11ff6894fff0d3f35c271b3c5a9a5b5d
SHA1 1207159569497a28912ad5d1dbf9520efa0ac907
SHA256 4d716e3e37d170bee83c4fc707dd3092e262ecfd6e80b00526be189c8a48e0f6
SHA512 95d4469524a066a85cdb3cc514be46e5448329bc03fda710b9b977a02bdeff75a080b50d9a2f96bbdc35c3cb82de4be06834d09170082d9bb159c495d062ded2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 01:20

Reported

2024-06-13 01:23

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31112496" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112496" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3CE18557-5BE2-440F-A191-0CBCBD67A087}\DisplayName = "Search" C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3CE18557-5BE2-440F-A191-0CBCBD67A087}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112496" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3CE18557-5BE2-440F-A191-0CBCBD67A087} C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{3CE18557-5BE2-440F-A191-0CBCBD67A087}" C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "82224132" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{3CE18557-5BE2-440F-A191-0CBCBD67A087}\URL = "http://search.searchlen.com/s?source=Bing&uid=83c33ebb-b9c1-4ad1-ad69-8f3b71d82b86&uc=20180111&ap=appfocus29&i_id=email__1.30&query={searchTerms}" C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "82224132" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425006633" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{307D1537-2923-11EF-B1BA-429904AF4EC5} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "86129929" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.searchlen.com/?source=Bing&uid=83c33ebb-b9c1-4ad1-ad69-8f3b71d82b86&uc=20180111&ap=appfocus29&i_id=email__1.30" C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a3571896f227ac0d53699ad017e64c36_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.searchlen.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ie.search.yahoo.com udp
IE 212.82.100.137:443 ie.search.yahoo.com tcp
IE 212.82.100.137:443 ie.search.yahoo.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V54QW64X\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee