Malware Analysis Report

2024-10-23 19:32

Sample ID 240620-2kj11svcnp
Target 09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118
SHA256 523f5475cbf881123bdb0a82c41ccbec3ce61dbc3ca07488cadf8a53db873492
Tags
modiloader persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

523f5475cbf881123bdb0a82c41ccbec3ce61dbc3ca07488cadf8a53db873492

Threat Level: Known bad

The file 09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader persistence trojan

ModiLoader, DBatLoader

ModiLoader Second Stage

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 22:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 22:38

Reported

2024-06-20 22:40

Platform

win7-20240220-en

Max time kernel

134s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2704 set thread context of 2468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425084974" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF260DF1-2F55-11EF-8A04-E6AC171B5DA5} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2364 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
PID 2364 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
PID 2364 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
PID 2364 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe
PID 2704 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2704 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2928 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2928 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2928 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2468 wrote to memory of 2928 N/A C:\program files\internet explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2468 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2364-0-0x0000000001000000-0x000000000110E000-memory.dmp

memory/2364-1-0x00000000001D0000-0x0000000000224000-memory.dmp

memory/2364-2-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2364-3-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2364-9-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-8-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2364-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2364-6-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2364-5-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2364-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2364-10-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-20-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-19-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-18-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-17-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-16-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-15-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-14-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-13-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-12-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-11-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2364-44-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-43-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-42-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-41-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-40-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-39-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-38-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-37-0x0000000003170000-0x0000000003171000-memory.dmp

memory/2364-36-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/2364-35-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/2364-34-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/2364-33-0x0000000000A20000-0x0000000000A21000-memory.dmp

memory/2364-32-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/2364-31-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/2364-30-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-29-0x0000000000840000-0x0000000000841000-memory.dmp

memory/2364-28-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/2364-27-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/2364-26-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/2364-25-0x0000000000410000-0x0000000000411000-memory.dmp

memory/2364-24-0x0000000000420000-0x0000000000421000-memory.dmp

memory/2364-23-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/2364-22-0x0000000000990000-0x0000000000991000-memory.dmp

memory/2364-21-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/2364-45-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-56-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-68-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-67-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-66-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-65-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-48-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-64-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-63-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-62-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-61-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-60-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-59-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-58-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-57-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-55-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-54-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-53-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-52-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-51-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-50-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-49-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-47-0x0000000003160000-0x0000000003161000-memory.dmp

memory/2364-46-0x0000000003160000-0x0000000003161000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

MD5 da333cc7de36ac7edf79149c0c5e2384
SHA1 7d142142485e686087a96a5d3f9808cf45fe7ceb
SHA256 e23f5f7e385220bb96105c4e02cba8160aa2edae15f34c0bb9b83255356df476
SHA512 a87b640ec9b4bad3911759d4979fd5874f86a1f91f5c1d1553ae8948644a2745341d16c0000a565197ac03029570c5fc0fd438ef74757e3b061c1e4a9a6cfe88

memory/2704-81-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/2468-80-0x0000000000060000-0x0000000000125000-memory.dmp

memory/2364-83-0x00000000001D0000-0x0000000000224000-memory.dmp

memory/2364-84-0x0000000001000000-0x000000000110E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab21F5.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab22C2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar22E6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6aa743d4dd5f2a149d2c1d5fa38e8221
SHA1 0b2397fc1341ec3a20b186d3623d627062869166
SHA256 e3c9fb4d5931fb9d200c3453ec62207a86bef551c380fc9e0a4ecf7c1868eb94
SHA512 0129eec9b6a2f33d44cf3528b39064da73f49feff2e6ed82ec5423db97a6b7ee3ee4ff51aa6812db0465c380147d3455766f2dae8a198e8057ce2fec3b74b529

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3458ce83779d9823def7f19c490e5ea
SHA1 570c9145d54be5b68025b6d272274bf76b415b51
SHA256 788ca37d72f9f922fc789594311562af6dad19e4c93e27fdaae46044591b1aec
SHA512 7037331b3c9cabc37032e4b0e5d9e44252fe70a50451044cc2da9afb11b60ade43f88a44778bc1f760f56eca2290a48d74a7fd6a588cfab8b8434bfcfa62fe73

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2bad0df3b41390f2a64b0b404d902d17
SHA1 23089b8cc9c8a8636df6d327cd8fc6c1417e7994
SHA256 47d2291b15282fabe20ebde828947d7faa1978e5e2120a49053ed4d7d67d07a9
SHA512 118b9c916de65b1ed3a9c912552fb5aca8f0ef330f08d0f3f1b9ce8bab27cc59d4609c9f4e7477fad290ec6f2d2055984f4b09107fbdae4cbf35f101c4eaca16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 138425d1ff860d4d8b4c8d9c3b78d119
SHA1 e0a5ad8c3158ea0fba071db00b1dac208e64d30c
SHA256 42c3c0c4202b31e765396f03f3ea0b6544033d09cf0fc02b57e2083d81db7fb3
SHA512 f4e8182a76baafe25ddd0ae2fd99ddca74fcd1e17645753b51a89d3ea05a129b2f6dc968b7113f9e94760ae7e71e30f4236c976964f733e9dd35f33f7dd9a30d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a2e1ada560042dd6d69f6d129823425
SHA1 fcdc33aa9dda46d44c4d426bc1ee4cdcbdea010a
SHA256 8bf30bb525f8b862603afe770fe78722bc493840f6893e44f6d4f42ac8f56997
SHA512 fd068d6e3580ac98205b027b7042337dfce22a3cc2b818fb86deecfca3b9ef7f089dbbe7ea27d42b55e86588c43c6ee3eac319e9c157040c742b4d63a0f3e35c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad47b77b725b3ac40a67615c2f8344da
SHA1 2a21f73b0aeedac7544522a9b2afefbd3a068755
SHA256 321f69d34119d36583218519319265ac0bab525e86c23128cf4f435fe5b32409
SHA512 e3acfafa40c465aaf999d4975cd5dd302a0dc82acd2e662a478783e51c2ca61027e6b1b5afa6617c364b1a4f96d2c6e7fc3647ffd363eceaaa8419a9bf2eb266

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb26d5bc0d175f4ab8fcaf5c431b4b51
SHA1 922e02292e829a7eb787889298873610bab8f301
SHA256 3d565712c0170ab8f6a0afdc00c9a2d00fe7aff0804d715d8fc6de16c1e68ef7
SHA512 9a5efda7891f0ea694e5f5e7d8bbb5912df99256dc82813a69f45ccf69388a3a9bd9e5568bc2b3a3e296b682510a35e642b4b7c50614e81973cfcfd6d1d6b4d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe32f3aaecf0a698488153e6860ece30
SHA1 79d54c157cfaaaa9d7903abf8f5dde6f1984a18f
SHA256 487ff8cc90d692fb4a2caf38215103af1aee77c2c394358a0d1e81a695b73223
SHA512 ace23c9a0158e9d5e709ef8d98150aaaae647ad0dfd509da0c2a55cb9f7f660cbbefd25a6fae26eea8221cef48e1da9158eacd1ee05d491cafe59611b373ddf7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f142ae1438dcd14014887da4cbe74d42
SHA1 abe7740aeee80bcd51ff3cc418a77fe693cfb234
SHA256 18a838da3df9543fcae4a80139820b5bb9dc184890179d6e468c4ca5c27df7ef
SHA512 2bdd74ac7f1c5537ec0fada3e4e3664d4efda5f90c066189c8e32f9724081bdd533b6818ecbe7ec193cbf67c58a8815a7b9f96c9bb94d5c0281447608343f76d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 924cbf2c68894276034855c02b724cb6
SHA1 bdae11a283b137ef4254a8907e064e06facc87e1
SHA256 5f2b63e4d2ecdc95a8fed054373d94eee6e315a90a2ae3d90941fcb9ffd40731
SHA512 14922178b9115ae3bd1e1db116cd281dc115aa494e56aa4ecb19213046bf5148fe0aebf1c815a66fb048862b87b375cba06ca754bf32b2de5830efc0fde0fa7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e358931063d222c806e5479a5102c89f
SHA1 7cacb8ac198e2ebe266cd47d8a0ea8c67baecda8
SHA256 79f93c80d679c7cd550763a782b72a7abd29d84296a011779b151d45387d1ed9
SHA512 25d8d2df8633c9c844251fdca1a1c651627bb12e4947fdf2dee64934242b1f5300d2c3af4f672bc5fea722939114d1176342919a21aa223a7cf3a303b860eddf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffee338d275447e46904ad3f5a6fe1da
SHA1 60baff163c692e99c592ffdeace11b86f3e5a5de
SHA256 3d123d8811a0eef24f0a1deff9a6271e350aeadb0706004ec7bb0011abffa6f7
SHA512 c18bc70a582f65cfb29247fc24438947cd893e6a10b56dbde7772d593fcc04201ef7b0779ae9400a9e3a04a96dc9fac0b1aaf3cd346dbe78140bed4c0ef34ad2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 990679e29ebf4ecd1bfa474f3c1605db
SHA1 ffee5911d51ca6d7a0b9776bc734e0c13392e8dc
SHA256 506c910940e381403d6a5689e0e0676a6e0883989574427d8a9628315ea198b7
SHA512 958f8a995c74b393992b83bdeade05b029ddb2c8259c1240fc5ae5aa8e2b1e0dea496288fe04f0aff3f7e379635e6e704a031a988cffbd8144531511e6598f7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a566e3900dbd4dc63d0df416a6992e81
SHA1 a80386814620943fcf38114d3828425f85d62166
SHA256 fd56499cee76a410ac6795b0c17f3ce89b8da445e0bbe8a66888669749ff2c38
SHA512 c5aafb8af0710f6cb6938e8e96003577345e35b1248f31e6c734993d5541b2cf38815bf33b72f34ff3d9106316bce0c64f2df51402ef9fa39a797705f5a6213b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6d3ec9aa5397bcde908435d4f0b921c
SHA1 73bcb5f251429cc82f843a633fedd1c496748a60
SHA256 989c33765f5ce9917b7dd4bf341f65fbeda9ea084da8b85be8cc975e69e2cba0
SHA512 8a8453d0df17bc2753f5b6c8246a6e6933a4edfc8bd2c951ccb13788c0b19e4abbe268970973fc2f6b803cd921f7d7f86246df0c87d66f94dbb78e15cd99aa9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd5294dd6f9043ffd5f6ca8beb999c1c
SHA1 a3ee9001c69c612a701337b73d3d2a6c83d79fb3
SHA256 025444c68238c46a3f7471c903271fad75b2325cb7bf25a754a3722126a425b7
SHA512 ad6324db41fb4aee732eb9c800c0163131602df6d4f2035aabe9df9485960db17eb15e2f9517bdc419a2c77f93fa1751204eff47f551d9ffcf103328c6ea8431

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02bd0760027e4e54f8883257ae2b74cd
SHA1 2a062074eee72ed3506f0f2e4378988bcb2bf03d
SHA256 50eb37c1434222793501e8db20f3ed118aad1240ec3647a313174227020567a4
SHA512 377d43b3c5c00f7b0895c708ef858af151470b63d2693da4298d141e0ceeb9de150557a0a189f0d4d849507ebd801d3ce19c9b9a50bf9498fe2432e9b519e633

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1d72d6fba9af45be982698a8cfbfbc6
SHA1 7f3f17e8202de7aa6ff7305f702cf39418706ef8
SHA256 0556b45613c1345b7aba9559d418df1809fd330cf9e463113c6c09de76904097
SHA512 774e32ae0bd6924d34f2c8c18d267e7972e281d709f7f8392666407d2c298b555db2fd85410d0c9d1635e18f8cf32ef4a8812bdf56b6f7f3abb2f36365b350b6

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 22:38

Reported

2024-06-20 22:41

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1268 set thread context of 1192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe C:\program files\internet explorer\IEXPLORE.EXE

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\FieleWay.txt C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114082" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3183568360" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425688142" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E88F97CE-2F55-11EF-B9F7-6655CA8B1A37} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114082" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3376068582" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3183568360" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114082" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\09e14f639091fe91d590adfaba2cf2d9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 107.90.14.23.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/4924-0-0x0000000001000000-0x000000000110E000-memory.dmp

memory/4924-1-0x0000000001000000-0x000000000110E000-memory.dmp

memory/4924-2-0x00000000006D0000-0x0000000000724000-memory.dmp

memory/4924-10-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4924-9-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/4924-8-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/4924-7-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/4924-6-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/4924-5-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

memory/4924-4-0x0000000000670000-0x0000000000671000-memory.dmp

memory/4924-3-0x0000000000690000-0x0000000000691000-memory.dmp

memory/4924-23-0x0000000000C40000-0x0000000000C41000-memory.dmp

memory/4924-39-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4924-38-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4924-37-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4924-36-0x0000000000D00000-0x0000000000D01000-memory.dmp

memory/4924-35-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/4924-34-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/4924-33-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

memory/4924-32-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

memory/4924-31-0x0000000000C10000-0x0000000000C11000-memory.dmp

memory/4924-30-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/4924-29-0x0000000000C50000-0x0000000000C51000-memory.dmp

memory/4924-28-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/4924-27-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/4924-26-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/4924-25-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/4924-24-0x0000000000C20000-0x0000000000C21000-memory.dmp

memory/4924-22-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4924-21-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4924-20-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4924-19-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4924-18-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4924-17-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4924-16-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4924-15-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4924-14-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4924-13-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4924-12-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4924-42-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4924-46-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4924-45-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4924-44-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4924-43-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4924-40-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4924-11-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

memory/4924-41-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4924-47-0x0000000001000000-0x000000000110E000-memory.dmp

memory/4924-50-0x0000000001000000-0x000000000110E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5.exe

MD5 da333cc7de36ac7edf79149c0c5e2384
SHA1 7d142142485e686087a96a5d3f9808cf45fe7ceb
SHA256 e23f5f7e385220bb96105c4e02cba8160aa2edae15f34c0bb9b83255356df476
SHA512 a87b640ec9b4bad3911759d4979fd5874f86a1f91f5c1d1553ae8948644a2745341d16c0000a565197ac03029570c5fc0fd438ef74757e3b061c1e4a9a6cfe88

memory/4924-54-0x00000000006D0000-0x0000000000724000-memory.dmp

memory/4924-56-0x0000000003110000-0x0000000003111000-memory.dmp

memory/1192-58-0x00000000007B0000-0x0000000000875000-memory.dmp

memory/4924-59-0x0000000003100000-0x0000000003101000-memory.dmp

memory/1268-60-0x0000000000400000-0x00000000004C5000-memory.dmp

memory/4924-61-0x0000000001000000-0x000000000110E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 7d3b85dddbdd4fdb82ea4c9e4eb4b386
SHA1 ec55434869bf1ce79d37ebc36af1cea98309ca89
SHA256 9ff2020f99ff7cefa80d5551715f465a89592320ea24e72c001e11a216445cb1
SHA512 0d595242ed30e20906f2f50fd4fe454a963498bb07a34b2b892d9fe5a2cb7b76d195ac766342034b422e3d3705c7760ebaa5fdc4a9076f60dfa7c61336d51d03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 5031b6d4238e2fc242b6479e547691da
SHA1 52951b3477e317ab8427711380a6de56c2be4ba8
SHA256 a5be524cbd978b63a8b893f826b03270b13836515625c8a7dd87395bebcd248b
SHA512 bfde57f7dce3fcb8ed2cfff614d17c25e9b088164b8ab611bbe7130516ed5041fafc3934256f3d06ccd1d1b4a160ac05060d0119eb6bde8b99c690606eb102e2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee