Malware Analysis Report

2024-10-10 12:04

Sample ID 240613-r92bgsxfll
Target a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118
SHA256 b3abb1530d11b24cfd774d4557e0d1ff56b49612f3871873e5fc9b9f55e6e619
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b3abb1530d11b24cfd774d4557e0d1ff56b49612f3871873e5fc9b9f55e6e619

Threat Level: Shows suspicious behavior

The file a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Deletes itself

Checks installed software on the system

Enumerates physical storage devices

Unsigned PE

Modifies Internet Explorer settings

Modifies Internet Explorer start page

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 14:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 14:54

Reported

2024-06-13 14:56

Platform

win7-20240221-en

Max time kernel

143s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{02F93ABD-6BF3-4846-A68D-1B674FD2269A}\URL = "http://search.searchlen.com/s?uc=20180430&source=Bing-bb8&ap=appfocus29&uid=3eecf364-ea34-4dca-a172-f24c34415676&i_id=email__1.30&query={searchTerms}" C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{02F93ABD-6BF3-4846-A68D-1B674FD2269A} C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\searchlen.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fd87083e59976047956e8798d94a5f7400000000020000000000106600000001000020000000328f2b956cf3c301492c82ee266a2a3f384bce73cf007068d874536b96dfb9d1000000000e80000000020000200000006c92542bc9dc8bdf021fbd4b2caf86dbafc4cf8a8b550944befd7125e765feb9200000004d7e1a9a1312e348a5f97462c5bef739a58f9b0b6b6ff75bc15066bf9be308e840000000c612a72bc89f01f1689a4b8eb45394e33f6f37eb49864555fc30a013957a5c34f64fd84e7e269fdb8a36b4575562259ff6d64228cfb3349fdb5b031ed16b02b7 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D43459D1-2994-11EF-8A46-EA263619F6CB} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DOMStorage\searchlen.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fd87083e59976047956e8798d94a5f740000000002000000000010660000000100002000000045a469ba568701ff5822cf541a6da5e58d3ba6fc9af0e49bbaefa16556dd74e4000000000e8000000002000020000000955c65027e4b28805d2a6cf4afd5f55d5c73e717c57e052f0ae2f8b71c9d85369000000096e60ecccd84b55f59f095791e17fa6bf5a2810261cc132373f8f33ece92376e2186756c7cbf75164039e2548658a20c63185a9de6184bc74e326cc0f86a0ad9bac804fb87a98ea251fbfe7b9c960586cbf10ff514ae5247ee41a6cb142970c668f2ed72e3ce318a182aa7dcd3e2b1310d67e144655af28f702b15b7a86530ae96e7c3e401b5f00f6170200e680c49c6400000001aa65a08752b0b42ac9038960a9750882eb32e3609397551a4e24391579779bf0baeac38734682394f26211d0c82b9839ebaae5d3c234b78fb0c8ecbe03b4b02 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{02F93ABD-6BF3-4846-A68D-1B674FD2269A}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d08594aca1bdda01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424452334" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\{02F93ABD-6BF3-4846-A68D-1B674FD2269A}\DisplayName = "Search" C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.searchlen.com/?uc=20180430&source=Bing-bb8&ap=appfocus29&uid=3eecf364-ea34-4dca-a172-f24c34415676&i_id=email__1.30" C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2336 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2336 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2336 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2336 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2848 wrote to memory of 2724 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2336 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2904 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2904 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2904 wrote to memory of 760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://search.searchlen.com/?uc=20180430&source=Bing-bb8&ap=appfocus29&uid=3eecf364-ea34-4dca-a172-f24c34415676&i_id=email__1.30

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c FOR /L %V IN (1,1,10) DO del /F "C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe" >> NUL & PING 1.1.1.1 -n 1 -w 1000 > NUL & IF NOT EXIST "C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe" EXIT

C:\Windows\SysWOW64\PING.EXE

PING 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.searchlen.com udp
US 54.81.175.97:80 search.searchlen.com tcp
US 54.81.175.97:80 search.searchlen.com tcp
US 54.81.175.97:443 search.searchlen.com tcp
US 8.8.8.8:53 ocsp.r2m03.amazontrust.com udp
FR 3.162.33.170:80 ocsp.r2m03.amazontrust.com tcp
US 8.8.8.8:53 kit.fontawesome.com udp
US 54.81.175.97:443 search.searchlen.com tcp
US 54.81.175.97:443 search.searchlen.com tcp
US 54.81.175.97:443 search.searchlen.com tcp
US 54.81.175.97:443 search.searchlen.com tcp
US 54.81.175.97:443 search.searchlen.com tcp
US 8.8.8.8:53 assets.revcontent.com udp
US 8.8.8.8:53 d3ff8olul1r3ot.cloudfront.net udp
US 104.18.40.68:443 kit.fontawesome.com tcp
US 104.18.40.68:443 kit.fontawesome.com tcp
US 18.245.199.57:443 assets.revcontent.com tcp
US 18.245.199.57:443 assets.revcontent.com tcp
US 3.164.160.139:443 d3ff8olul1r3ot.cloudfront.net tcp
US 3.164.160.139:443 d3ff8olul1r3ot.cloudfront.net tcp
US 18.245.199.57:443 assets.revcontent.com tcp
US 18.245.199.57:443 assets.revcontent.com tcp
US 18.245.199.57:443 assets.revcontent.com tcp
US 18.245.199.57:443 assets.revcontent.com tcp
US 18.245.199.57:443 assets.revcontent.com tcp
US 18.245.199.57:443 assets.revcontent.com tcp
US 104.18.40.68:443 kit.fontawesome.com tcp
US 8.8.8.8:53 imp.searchlen.com udp
US 8.8.8.8:53 connect.facebook.net udp
GB 163.70.151.21:443 connect.facebook.net tcp
GB 163.70.151.21:443 connect.facebook.net tcp
US 8.8.8.8:53 dap2y8k6nefku.cloudfront.net udp
US 18.245.200.115:443 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.115:443 dap2y8k6nefku.cloudfront.net tcp
US 8.8.8.8:53 region1.analytics.google.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 www.google.co.uk udp
US 216.239.34.36:443 region1.analytics.google.com tcp
US 216.239.34.36:443 region1.analytics.google.com tcp
BE 108.177.15.156:443 stats.g.doubleclick.net tcp
BE 108.177.15.156:443 stats.g.doubleclick.net tcp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.200.3:443 www.google.co.uk tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
GB 216.58.201.98:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.187.196:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar22B4.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e31c31bd4286592525f293613e7b84a8
SHA1 052af1acde6d8b5710d29c89f2a90a811b8b154b
SHA256 bb8ed2e252939aaec2f240fded5200438b8cfb7d93d5d16c23a3752959b8e441
SHA512 da83feb7e4c78e3723059dbbc1e5d6a954b38d9ce895b12fd2287f889bcf74770acc465b62ab1f6e1708d609b5fac5eefea10297a0d567237747d95ff390b6c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 235cc29d6b8d32cfc60c9d49ae87683f
SHA1 36b0809e8b438cba49aa87a5dd7625193969ef46
SHA256 30e173968b8129d1f873c4f2351b5daf9cce35e5a5871248336a4d93bbd6df8e
SHA512 9cce376311be59587d587b9bbdf544e8c7f3e2151a83b47b46cba2db4ec96b780795778ce6b6c1779f8d275e0ccefb872e7149f726f17df3a3a720d1f394ad31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75d04780bfa44d91c0ae77461206fe09
SHA1 10e1030c8adc7631b9bb2d248f5979590b94bff7
SHA256 d348d8b1f2280e40fa876bc080eae00fa7ea964bb32bd1ea031c87b2115dd564
SHA512 c000d217126d8e8d2bbcac241c78fb1ed67098fabee12806174f07e36e500e7821554d0e6b97434d8f23c4d58f035964bd6bc6de008dde6efe32b74129670915

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdd41e8cac27513427a03ef4ab67e214
SHA1 40881658e56ec035d83d224cbd47f529d114d577
SHA256 bb2565664f10fceb3de426b229d986bcde81b0869ae481ed16a5ba8ec083a676
SHA512 1719e9bc86991bba30a123b56674de10f8f5ec78367f749dd5d67de562561374eb96b1e160b6fc4d3523ae44040bb9d57e5c494a4ce01f6907ce9d5778d61a52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 83cb90e4152796942e0728106ca9cb20
SHA1 7bc00d4249b37b109e0d647b2b024b5bcf41745c
SHA256 21cb148b9745d2fcc5c78f45ed75e46175e996de2f703ea5b6cd072f52988e84
SHA512 1331bcf6ec92cc636d634ec5a5f26dd2b6cd41f41f8a712481dae8817685e5a6379bd02d790ca2136440a71844b9271e05714c2ba5c2c34e461ea0e425d9de5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f8aa1a291d20db704aff8dcc99c0782f
SHA1 52ce8f8661c98ed78ce5e778da3ee0a6063eee0d
SHA256 67e07cd7b225a0c1e39e6977f6c9605db430dc8bc953f619b8e6576c0bbc7d0e
SHA512 ad9c5756b501c2ab332eed9f82a3d8ab1efa36c1163bf875a249071ebc3ca12866c470396b42510f73a86117d56e074bdb4e82e55d8ce14f7028168a5a350cc1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4602f9c75502122e61f3ddcd958c3ef
SHA1 3d45707c61c5bff1e4b62a80ffe38473164fddf6
SHA256 57b3603cfedf3802588819e05cd7140d4a77816dae8b976cd5ce65ca09896160
SHA512 367c64c75f215028f53d45510055d72a328221dc4173bd48716bf1260716536b203637d0db724590758bf48a9c99b461a888514b296d94eec9e9738bc2c9fc29

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ab2f34efc71ce9454472b56469b66a9
SHA1 977e5cd997318cd5a757f73035f53f687c674726
SHA256 d30f2f81c1d0b7cf8ea284d983f7f69c1989639a1c0bc6ab1efb42cc82740e0f
SHA512 db9783aa4a1d9ce63fbae4ee72cad14e5785583ce267bb961e46eae005f4bf6ae076ed959cf03924cc6d95ad52d5f54dcc74f88c04438e6de63003adf605d981

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c6e8e51537222b8995fdb0cc9d87673
SHA1 c7e1407382ef1fc15f736b89b6f513572d1d0d54
SHA256 a50e68462e2dd099c622c80e51d77efe76519555372399e0040b2ed3121fa526
SHA512 5367e607cd04ce216a9e1c16d11d9dbb720a51e7b6374fbefac7b5db44d52d4963c18f747c9bd18b60284deb9d877b513925b1c5ecce4fdb1a022cd2ffdfe84f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5920a74a3bb970625039d9fffe18305f
SHA1 f2c4529ae8e6d8163278681488c7de33914502a5
SHA256 b09ef95e8757709e4cec916ce74c6ca08c4b0307ce9a8f6fac04ff1363728592
SHA512 e2e8abc11046c685c3c60c3bfec56e8df490c49938d63b869e7cdf3601d984e50c739bdcbf94fa91d7cd5e5ba44df3680ac14b3e2142d6cd56bd804705c487be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dce82a1a03aa377740eb99f4bcdcd358
SHA1 20c24713776e49a058f01643d43294977f92eca6
SHA256 e0d657cf4c69c640f586314c3dadd407bba9627da01046f063a0b6676567be9c
SHA512 9d184dc753971f612db8fe865fd1e3475a4ebb298f428e5333318507089cd3711afd1a20c639edf66f826465f12ff9577dbd9ce9b934db5e82e4f1b44f545f44

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dc31d716bface2c2735c1a1c3b6bafe
SHA1 20fd4933ed168d234b6a3b59ae52db0d098ac70d
SHA256 a67363a261ba5f11cf7b06725ee92a8a0b713d4f067461c4d3b3e28b570b7075
SHA512 fe1693bedc6ab5b51062e6b1c0c3b52dbaa2b831cdce8db72e4e4d97e338ef74b97d8fb276b9f0aac6a83c889361728cf502f6a5255eb0818372388cee8433b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e626504c12d2ac4f5f4570b569012ba
SHA1 cc2b6f6497a74064e2187a764db071b999bad738
SHA256 8a22c1527abe95b477b25324cfad0cb48e1dea36a4fca1d8a0a11eb4d98ab293
SHA512 f20a956e2e8714ddb1ae6818d6dbfcfebc74650dfa3f724c77d046bf94f1138e95a166d59c547d9a8a96fc51fd83f7e710ee03499731ee424ddc63e01d9ecb73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eada3d60f9a8b4a31efa9b22938163e9
SHA1 bfc85e2d76a75b3bd48d3d1994fb6e76ed671470
SHA256 fe71c3dd3560f7936c301328eb6ff89d0b403e2e7fc79f10e404c36cf76d8b56
SHA512 8334a8c577977cb91ef4a0ce5dd4a1f5e6e78eeaeab50589b202dd381617e99f8c0bc3d4a0ecb57606d4f6e28dfc93a874e175194d369311666694367243f792

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Y9462A6D.txt

MD5 8f035833fcc8a00060e34695e1acba4f
SHA1 538e8dda6d308428d93ab7a6ed7664a4410ff87d
SHA256 690b215b236874aa5d079922106e6fbf7d1445c131a6e82c41ac491f9895791a
SHA512 6ddd27d371c35ad4df37d8861d7d0de6874e628e3ca657401122b1741d18641e7982097a6fa83aee495cd698342f57f35dc8515e506e1be1742eadc37eb1433c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4c89fb66e91a717dabaca71ecfcd3e0
SHA1 0bfdc5fdc2844569f1505329d24ab2b1ee8f180d
SHA256 6bf42699184e89e261dcd8d19650b5f2f8ff2c0516632ff129093d1757d5582e
SHA512 bb5d1e3de41c4741c8de8f681772aef7641e8256543dd347bc18f10718b55a39da1ad20c2cfcce9a05a985e42e6bd1dfc5d8f6939865b64440ff7fc297bc56f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6be9500b7f4b94a5a5822e63176fee96
SHA1 21f078fbf29bf706e74d56e10bbb496816aa9333
SHA256 6457baed555493dadb8eebc34691ba6942ab3fa9cfbd7f090f654700cf5b507f
SHA512 07da7058ca7bb0076c8a747df84e45630c52b9ee93554cde81c1c78fe4eee178cc7f57f74b05689366852d80d93aac30e2f7f27ed3d4427606c625f020a611a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5E390E1CA50E646B1021D6CAA485D322

MD5 3d7b6118cae890e5d6d6bcdfe43f1a4a
SHA1 dbf1c3eaede2c1067af57d43703a10674767e71d
SHA256 d58b4c3ab095d00ba13470ddf90cdc3b9f01de465d55bbdc97b6905f3fed7b1d
SHA512 2528d3d0e6ba0145e2a7ba19e5f02dc176f614847f178a271ac023b99713f24c80193ee4087da00b3ec7fcc902a6411f92782e040d86b9567e592640668e3e25

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\js[1].js

MD5 dcb2beeaefeb6b6e705778598317e531
SHA1 f291cd8aa8ebbf7fd8363a9d668ad53b40f892b5
SHA256 6b4e0b74f83764c4d4ef385ed344ab07229d4d34978f83b49b5c2e0e6aef92ca
SHA512 42dc8cb6720e6b885d1b9faca9a03d1733549c6fc34ad322f40105f91181faa267a3803a65b5168894c027a95bbb9ab09552ad5c69d0536e00e90dc75a0630f8

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\favicon[1].ico

MD5 504432c83a7a355782213f5aa620b13f
SHA1 faba34469d9f116310c066caf098ecf9441147f1
SHA256 df4276e18285a076a1a8060047fbb08e1066db2b9180863ec14a055a0c8e33f1
SHA512 314bb976aea202324fcb2769fdd12711501423170d4c19cd9e45a1d12ccb20e5d288bb19e2d9e8fd876916e799839d0bd51df9955d40a0ca07a2b47c2dbefa9c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

MD5 bedb3aff15593c95065813ea9be6d7e2
SHA1 926139b97792e5b4111ef1b5e2173e07ba32de7b
SHA256 372ee2e9506ca792183d4f270ca395b314fdc976ec2c42924a4b248195f18453
SHA512 64739d856b668e7c95a3dfaf718f5773053459dcce43ee40aee458b48352e54b4a39b027c9a596018f0e3ccd42dba2478acd65badbc7dadb8de11f2a16e7600d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3ebdff119d7b70d7ab5e25ded3d01fe
SHA1 847c9b70129f07c2d5c92bb23d3c5027b4bdab91
SHA256 a8577b760bcc1dccbb471aaf1487d66150681700950595eef7ab7e39ea5869d5
SHA512 aabd93a05d714443c50e6ee26cca2fd1ef1ff8aff8510637e2a48175ac240074afb5a3a540827c9078e63a6e2ef3696be7e6d0ebb1cc26991039ed07da660475

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f7186cded6b5478dcd7d5f58839ae87
SHA1 bfb11fa4ed71d17ad3e57d2bf2ca6e9e8417528d
SHA256 e4a09c38c77403bbeaee41fb8311d088b7643e860d53972976c51dd410d37cdd
SHA512 bbe7dc6d5cab37aaeb57e1dda486fea7c8b3f4cd4427c7cfe5be53e68b9e8bc7a8ec7d46595cf875d006d2bae58b59b36a59148e4a6d74fcb95cb3e59247031d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ae681ead461a555481a8a83086f9f46
SHA1 0dab433533200b099bcc1af00050aca86bb5e2ae
SHA256 9c611858b03f0fbb60a16489349bd06b21c2754f604e121cce2cf02b625a776c
SHA512 123d643897065117baa04a35194551ca3ba3c38d2e906070258516e3113e25093b91e42d16828bdcdd19c5bdc6e16c1d41a56bc57e0d65cc678c1e4ebfa814d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0548c94421eda3227b9a30bd148657ac
SHA1 2d7f036e332c5ed1044a47603788af12ab994b04
SHA256 3f88c78221a674191d831bfc8fc01d8f4bbb240d3a0d05f05d5b2943530d51b8
SHA512 6d7c3a5eeb3eca33ca69b8f194e945de4c28d1ff0f14b8bb0a2b02289ed3ec07601c33501f628e85db65be43cd4989ba4d0dfd2d1786010d93d291a48a740231

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84438223009ed62992d4761b21fb6752
SHA1 b3ae93ea6cb6af86b6029f69a916bf717b8341c9
SHA256 84812aaffc91422f8a5aebfc7411791290337f8734374021d0271b2d4d3ee9ba
SHA512 f3a587489bfa569fb771103f65ae6618cb93c302066e496b86cc9f98a4f8770b87a07828e9d34687b9b986e1410d22c22d4b6cca5054eae54475de522bb08a50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 72646456d08a4e5c727ddfebbaefd7ee
SHA1 c8dfbc359520dc5fdf026e70075f0557f5a65e27
SHA256 a084c8ac5480e27e527af57cff5c04858fd69fcc8eea42ab021ff0356611e17f
SHA512 ebc47e6ca7e534cf3c83615e2ae586ca9e8a274ee45e0fb5cf62847236d71b1570ce4f1a1db3fc766ba33eebebf1ded1f9491e34c879b7a48855aedfbb8f0138

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afa4669f615f3a81c3e04b59c8014162
SHA1 c94d1202d1dce3fec37a78f90679e8fd0a27e7a1
SHA256 3f722cbb26d8e35288d68fdafec01e937f5a578028609c5dde39e6bb4697cb8f
SHA512 15928158108251052340a1c14fad432f0c33c778675d3fe3ceaeb869550017ebe3966e3e8c8604462b2f255b07b83ae56e8149fbadff9d7694f1c6101ab5dca8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa798f6d87c4ef0c8a742b1a646700e8
SHA1 79f2210e2f26d8553a0d3e787b58acb56625f8b9
SHA256 ab7dec79e75d9df055dc2863a2641aaf5eb265705d0600fb463392262d8f103c
SHA512 7537e6fe4742a82c099235abee01934a476e3bf8aa0929113817d0ef4c1ab85d2eee9e3c271e40ec67293a4817b2d486ca83e57c7f777011300a81e49298b14c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d80ecb31efa1b606c7713920dc77740
SHA1 a80b574a95faf4720f3327957a72d140c1a52742
SHA256 03eb242d2df1d1075410dc179e05a4ca48d52a22a4c891bd3214b2b1c0fb47b1
SHA512 1e748a89a7becc43fb97184f6cf3b54f50d71b29b81d588e6e5cfdc085413292d7418abed8cd7f38091dea974c07aa294ce4b2d9ddc599798404773ac21e4d3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3d787c1bc7fca3c2952e37ee9724efd7
SHA1 5dea0ae4349ba2168ee5c6f465f908c1d4a706f2
SHA256 039cfdfa3fafedde5df386617f5c0de6780c2226b57a7af2cca1f89fedc2b6e1
SHA512 188a94010c5fcf3bdcd3ecd9a5b370cbcbe1c0edd239fac74e7568df4d6c26cca29f8c81acedc80669e84076fbbd20e36a0692ec787fc30afa4fe6d947163a21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad8284588fa77b64e835f68404895634
SHA1 86de3e7ef18b475a42c2ca3a766fa41d8a9cc912
SHA256 49df2c2e9bf52fd500826038c65032f0bdd163a78b4b12f97aa7834c887a3b3f
SHA512 5c4dd9d23e662a618d9a72e08371b77700592b8c5eed4944a6fb2d0150f44e9191f2b48a66ec8e3e444e4f5127e9dd6906a75390ef7ccc66f96a109e93b0f544

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de5d1dc7737f8b1f6dd2bc8e75c49bca
SHA1 f6c8e04d688118a89ebc984b7a50d7ea2e667aae
SHA256 66f8df8b727c3565a323ca5c3294a8b53e49dfc00989df9ac56f6ef6b02970ae
SHA512 f2a738dd041b0e407f11a2f1c1243618eb2be1a22ed149fb9c7616d4123feb926bd9319753c3bf4238d63db3c35d37060356cb3f501f8016c8b9e1ecaf4845d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 9ab8c349305cfb1c98567f7deb088d4c
SHA1 901316364179aaff72ffce3b18aec8e0d2b951da
SHA256 255f97efbe10e3b587ab618a6a0e1c4e0344c2b44a3cb9fc5e692c3dc1b6cf59
SHA512 f2c3fec175cf4cad437d7bfc4efd9c4b1a4c04c961193efdcbd4ade69f8878f2d452524c6d750b6c2b645ca91f060d45a5ca8e0808a29de76c93bd2e5367b1ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa8c99299247a94ac986c53f938ef321
SHA1 e9ee05de507a3edaecfa2ba3a84792a5aeeac449
SHA256 9476695b42cb9253f82c9d60185cd255f338376e352dc5c7fb0b5a5ea3a7a2fd
SHA512 0842c185a6ee28a05a3484cfb53cc15f309749b307300ded63ab955134b5eced7a353ed1ebf7b42e9d5d7d069f79e4ec7ef9fb66772016ea1cf12f067e295452

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d625e7fece09e98cf210e153e970acf
SHA1 96d600bc42726a34202bd6bc98ec7a547ffb5553
SHA256 8d10688f535dde982f4256a72f57e316d5a644a29a0b253eb249355e1623742e
SHA512 a161f6b229530c58422b516da679dd79dc9ada6317f9ef08a7ff281e036aae0c82ef1908bf5282d3dee9dbc64070f0277eee0b3e327f0162919ff6bd85a9dfe5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 14:54

Reported

2024-06-13 14:56

Platform

win10v2004-20240508-en

Max time kernel

77s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424452344" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9F32799E-CA9E-4F07-872D-7F234A3DE35D}\DisplayName = "Search" C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9F32799E-CA9E-4F07-872D-7F234A3DE35D}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D3AB8CCD-2994-11EF-9519-FE55E2F65CCF} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9F32799E-CA9E-4F07-872D-7F234A3DE35D} C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{9F32799E-CA9E-4F07-872D-7F234A3DE35D}" C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9F32799E-CA9E-4F07-872D-7F234A3DE35D}\URL = "http://search.searchlen.com/s?uc=20180430&source=Bing-bb8&ap=appfocus29&uid=3eecf364-ea34-4dca-a172-f24c34415676&i_id=email__1.30&query={searchTerms}" C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.searchlen.com/?uc=20180430&source=Bing-bb8&ap=appfocus29&uid=3eecf364-ea34-4dca-a172-f24c34415676&i_id=email__1.30" C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a620ad17c77f5d3b6f65ee6ec33f86de_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1420 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.searchlen.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ie.search.yahoo.com udp
US 8.8.8.8:53 ie.search.yahoo.com udp

Files

N/A