Malware Analysis Report

2025-01-22 12:59

Sample ID 240626-kp6bdawdpb
Target 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118
SHA256 986cd097aaa077dd2acf09937266c69a64fdf9e3b8d011ed7656b6f669a81112
Tags
bootkit persistence vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

986cd097aaa077dd2acf09937266c69a64fdf9e3b8d011ed7656b6f669a81112

Threat Level: Shows suspicious behavior

The file 1168b89f120da9898cc71d3ab48bd768_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence vmprotect

Executes dropped EXE

VMProtect packed file

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 08:47

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 08:47

Reported

2024-06-26 08:50

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\svchosts.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe N/A
File opened for modification C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000db20d4d61f9b3d4b8223119d16ffd968000000000200000000001066000000010000200000006f12c6ba5ef9223a660130f5c962b8b1f6249ac3fe2a768ddc0bc98ead113b2f000000000e80000000020000200000005a28074b40a70b5026cbb40139dc243f971826bc384139fa64ebfa500caf028320000000e3b58e52e20869dd2a4483382a3e1be9e31ddbf3eae616c32766257b8448ef2940000000a880dc7e64922ab70f4c6c964b895ba8514e915051f1258603c0c79aab9f8816d56339d0636ec6296e0ef4e05fbac2073aba43bd35bfa2f50f482074f9d07f55 C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2622150702" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C7085864-3398-11EF-B9F7-C69DB2B6DED0} = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115173" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115173" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d253b2a5c7da01 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2622150702" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115173" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2715901315" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426156663" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000db20d4d61f9b3d4b8223119d16ffd96800000000020000000000106600000001000020000000a22979635968d073ca1641d89694946e80944759a58b33f0d4044908be2aa8b6000000000e8000000002000020000000c51c74aaada9c8b2e6e387c223db3ed6a31c82c580d92c581df757e57935993e200000003595f91df69d29e0147f0200d68cd4745e867a2e795dc6626e326b4f58957ec94000000059244d7bfb8762b51fc2f417830630842fbf4d5c25e680ec5d50eafc057872917f632061de7f233bd3f681c7c6ea3ec97cf08dd4ede85c7e585dae1305d62358 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9016d0b7a5c7da01 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\progra~1\Intern~1\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\progra~1\Intern~1\iexplore.exe N/A
N/A N/A C:\windows\svchosts.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe"

C:\windows\svchosts.exe

C:\windows\svchosts.exe auto

C:\progra~1\Intern~1\iexplore.exe

C:\\progra~1\\Intern~1\\iexplore.exe http://jianqiangzhe1.com/AddSetup.asp?id=137&localID=QM00013&isqq=3

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4688 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 jianqiangzhe1.com udp
US 8.8.8.8:53 ip213.com udp
US 8.8.8.8:53 jianqiangzhe1.com udp
US 8.8.8.8:53 jianqiangzhe1.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/4836-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4836-1-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\svchosts.exe

MD5 1168b89f120da9898cc71d3ab48bd768
SHA1 8963fdd65cbe1f786f0296b26f46f71897d12dc7
SHA256 986cd097aaa077dd2acf09937266c69a64fdf9e3b8d011ed7656b6f669a81112
SHA512 86ca04ea1726915231913534bc64650d32deaa729aec43f5a74509e1c1e438cda1ae124dd4088d1e4876e61386b94702e4512ec8ae7fa6615219596d1b8f3bed

memory/3108-9-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4688-12-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-13-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-15-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-16-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-19-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-18-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-20-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-17-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-23-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-22-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-21-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-25-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-26-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-28-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-30-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-31-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-33-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-32-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-34-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-36-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-39-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-41-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-40-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-38-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-42-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-43-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-44-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-45-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-46-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-50-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-51-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-52-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-53-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-54-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-59-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4836-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3108-61-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4688-65-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-66-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-67-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-72-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-71-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-70-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-69-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-73-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-78-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-84-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-87-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-85-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

memory/4688-86-0x00007FF9FAD30000-0x00007FF9FAD9E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 5f0847e5a15af2d7923393c3cd30c5d1
SHA1 326c44f2bc29ec6578a400d6d46361efcb013540
SHA256 28766e681bf500e9cddbcd3275cd898c4165354ad087c2461d9ee374a7e2221e
SHA512 a83751183cd1f2ac063a0077f8edfaecda72a4649437070c83f88151c822ff42d43fb8a291c123af2598e10d15cbdc147cef353b2149baca9462fb02e3d67a06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 317177f158be9397fcf09d256b01d126
SHA1 fefebef7a66ab8d6e9ae363f7133b476c9c6030c
SHA256 3dc6496996f137a27d0b46256fedfb2305fde8fd507a1a1c1e7fc387b3941dbf
SHA512 f7b4e2c6c7a24f36a0eb5ced3bb33603bfe833fb4492b391f0b895fe7b005201a618fc019aa330349179c3a5f84e934a6c1611554e5df97a2bcf52794b46efad

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8ZO46T3J\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 08:47

Reported

2024-06-26 08:50

Platform

win7-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\svchosts.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe N/A
File opened for modification C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BC65EA41-3398-11EF-BCC0-5E4DB530A215} = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb8100000000020000000000106600000001000020000000080b934e3c9ef354c4f60011d034f4111f0b9417a9eea9dd0057d6630fb263d4000000000e800000000200002000000012738367ac6d13e1048388ac56ac4b36219c0e2520862f9673a60ac5e3a259bf2000000092875f8e7811da5edaed49355f0180be96d7454286e0bcd666a736150a00ea2a40000000240f5e1d7c417dc73099cff8dcf98e971534b5cff581da584b7c96b7f619e9b458fbfc55bd35fe1e1764ee366a854700924c6a9c43c6203de3c605b71e81a5c9 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40cdfe90a5c7da01 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425553523" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000b2968c6cf60b74b94229c882944fb81000000000200000000001066000000010000200000002254658edd4a2243dbcf870bee94472167ef8832080bcc725a3dead39d15f2e2000000000e800000000200002000000061f9cf58cacc55f30d368e4f233bb1c2fbbdb5078fe6102a4160502737c4935790000000f09c35a398196ce0259ad841ff38f2f771ab52465ab51104e9216aad7c273f6c4e3132c1c75953015579c1c17b968c4c3bcfec4424f407dea839b33b0b8806ad7adb1f76f553b3ba81eff6fb14e2ae6113ebee76d4608e664e8da0472acdd1c409c25841f87e1bf4ce6e2189c2c45da4c7e7d2bb2471b30eccc198147f68e71df4fcf0e1b6bd3893f63ad0d340438233400000003a9cb3ac3e382a7809f0039a5d9ca691510bd3f3a64c99d54c83b50928ca2016dfc59db419dac337ef7e0146d42c576c4c64a6ee94e3f0382fb22c6c3fdfd31e C:\progra~1\Intern~1\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\progra~1\Intern~1\iexplore.exe N/A
N/A N/A C:\windows\svchosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe C:\windows\svchosts.exe
PID 2940 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe C:\windows\svchosts.exe
PID 2940 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe C:\windows\svchosts.exe
PID 2940 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe C:\windows\svchosts.exe
PID 2940 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe C:\progra~1\Intern~1\iexplore.exe
PID 2940 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe C:\progra~1\Intern~1\iexplore.exe
PID 2940 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe C:\progra~1\Intern~1\iexplore.exe
PID 2940 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe C:\progra~1\Intern~1\iexplore.exe
PID 2960 wrote to memory of 2716 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 2716 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 2716 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2960 wrote to memory of 2716 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1168b89f120da9898cc71d3ab48bd768_JaffaCakes118.exe"

C:\windows\svchosts.exe

C:\windows\svchosts.exe auto

C:\progra~1\Intern~1\iexplore.exe

C:\\progra~1\\Intern~1\\iexplore.exe http://jianqiangzhe1.com/AddSetup.asp?id=137&localID=DD00013&isqq=3

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2960 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 jianqiangzhe1.com udp
US 8.8.8.8:53 ip213.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2940-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2940-1-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\svchosts.exe

MD5 1168b89f120da9898cc71d3ab48bd768
SHA1 8963fdd65cbe1f786f0296b26f46f71897d12dc7
SHA256 986cd097aaa077dd2acf09937266c69a64fdf9e3b8d011ed7656b6f669a81112
SHA512 86ca04ea1726915231913534bc64650d32deaa729aec43f5a74509e1c1e438cda1ae124dd4088d1e4876e61386b94702e4512ec8ae7fa6615219596d1b8f3bed

memory/2432-12-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2940-11-0x0000000000230000-0x0000000000261000-memory.dmp

memory/2960-15-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/2940-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2432-21-0x00000000003F0000-0x00000000003F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3A43.tmp

MD5 2d3dcf90f6c99f47e7593ea250c9e749
SHA1 51be82be4a272669983313565b4940d4b1385237
SHA256 8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA512 9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2870c575d8c1674c39e7255a217bab4a
SHA1 29702371ec5a11904456f609c4d5f03c74775c48
SHA256 4f8b936dd6c4326f828d4e3662eef6f108a050b2586937264e62e8c0f87ed525
SHA512 98114e6afeed3fd86bc31afa91804516aff26b0bf82245fbbd8e30c69c9bb57503e2b9f94d63c8a316da6fd51f280e35e168a7c768bfe66213642062252ee6fd

C:\Users\Admin\AppData\Local\Temp\Tar3B19.tmp

MD5 7186ad693b8ad9444401bd9bcd2217c2
SHA1 5c28ca10a650f6026b0df4737078fa4197f3bac1
SHA256 9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed
SHA512 135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85bce5261075b3a1faad2e29b643335a
SHA1 923678a461f7320bad247723854bc54b6975d850
SHA256 e4576165fe63b81e083ba0f36796751f2b6496f5f066387a9d7f6085011a9fc4
SHA512 91016aa18de15d6599ef855331079dbfe2f26a1d51db7f58af15aab7d362c5c50d21788ccaf1281571b427dcc54bc1458862b3c1d5cb8363f7b406f957686311

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14e46ecddef119108f6bd2fe62440e05
SHA1 fa6f52b2c4afa228a87b80f49df423987ccedda7
SHA256 f4450241d0a798cf29620ce1d264837b5bfeb43e1c7eed168b275d05654d5f39
SHA512 c4a7ba45fd1e61309227e6228144d5618f236fcd19c2e357a97eb2039f669e78852a61863e2cadc69ddf1b6fa31efca9e3c318d662097ad1f3b0dd793e939d3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5a198d7e5d87a60cfe8210216401e45
SHA1 4fde70f715e628c2c223c1ed4912ad98f92cd113
SHA256 72d96610ade6f8a29fed47d727b36d625635194634d81593787f8dc83d95d11d
SHA512 3ae900858e61264f16e4f4e62560af1509d743da11654b1d046f0a8fb1ce79c01be75c6df80d2fff5a8745c85b123025365a545e8e7fc12163ffa2ff52630a88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c056c75fdf15f1daf11344f8e9f3afb
SHA1 d6af5d780447f371351b41125faca2bea860c9d4
SHA256 5d30e6d1016dc52c88ed9930e2f466d83821b7924ff40856fc0baaa09edda0bd
SHA512 83fefd9a0cf0e89b186e7ab54c38951c90b989f32c509c36cf57087ae46ef0f1d5406c67b76860d2e95f7872406e1927bb0df3c6227c97ebc353c86c0a2efde8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90b42d80343125256fc1614af10c2c85
SHA1 c75c543551ca670986d47fa50bc617a42365259f
SHA256 40f90dd59e9f6379aab0ab94c233ebe69514cc819ce8bf639ee40fcfbb87cd9e
SHA512 ef9e79f753776f61b8e3a50c9ace576c2085e62b1479174d5205539f76dd834d91e9d9b48706727fc04d70764f243ba82c3eeaef04301ed4186bcbd8af307df7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d23f51d441c071fd85d15b7ca9e634fd
SHA1 866abf5efabd022f90608df670f29d431911846e
SHA256 9b0ece0cd99200f3217e39474b665e853fa7bdda83b49171c327211b0f167e1e
SHA512 dc4c20d70558695555f516567c741f95a8d3eedc7839f1f701b5bd210a1c13db2e734032bd7d7f1cf1405c48de74b7bcf0c8e666adafee62c5d4b82b00fae4e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d8f60e64299a0dde9f461c1a047c1eb8
SHA1 4e68a98e1d591db620705eedc97d2605c86170aa
SHA256 948fe4f9f7907fd083808f763493d2840dcc95a936d41a6b5580b53e88a54ddd
SHA512 c908b49744de15fa12f3ca54179671b707652758a26dffa5b2a461129589cd7d01a3083cf2f11ba0146c7ff3339220d0db6fbf7fc95cf9771fda64b3a4f64c96

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df117d1555e3f811d1eca3248108b35e
SHA1 128e7b2fb6c83962208b0c284d67ef4934c04b9e
SHA256 88a2b21ddd35ed87960f81cd8ec5ed5189fbfb52e80e2219ff81b116b413c56c
SHA512 aab9418536466589b3a51857b9d5a846883bc58310187b09780b3781fffb6cdb1de123a2bce8f0da5b2f46851aa9353f29496322335e0ea2c67d1d063fdf1307

memory/2432-402-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ad2ebb5919c6dca9200e9de692e7a08
SHA1 53093e88e450ba237827e7d7742cd8602375e33f
SHA256 068a221da9d4aa01af40daf8d99e5b378f98dd6c0faee7dc27362021c25a7bb2
SHA512 8fd9be074eada32918175b64d4865e000bd0af0c37b7860a3fa5f595d54e00daf20e8daca3aedebf01a99c9a2e16f35a2c8ea831267a6153f285f76f06963ceb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5e6968ddc401d2b711b494ab1b05e7d9
SHA1 82948cd409655e3d460299e77049b2ec87eda34f
SHA256 a67ea87a8cae2104d3546125688b825a72d8c191b69a22ba61ef045f1c6a51cc
SHA512 439d8bba1df082033df7c6c1f0901c9edf8473814c8b797dd8bb0839f17276216fcb80598c320fc8c5f55d9165f2ff3835008887b9b68e01dc30def1f2f3ea84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 347e5f74420c7fd0892694c23d85e037
SHA1 d2d4937de172d32cd468870b7ab30a2cab59506e
SHA256 871045106d605ebc9d7f152e97347f7dd6f9bc9bdeccbd1379b09b6aa37203c5
SHA512 796b2f2fa7d5dbe4eb1b6688276def9a3a267b81b16d71b2af4bc96836ba1a5a4a1fae8bb29b9b681554f048e518c3d6db1f427094866d1997b77b5d0ee20d78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 061c50bbe74179d920148562a59c2c7c
SHA1 f1efd94235e18e32665758506e006c1f781e1a13
SHA256 e4a8dfdba7dd643fe9afe309f31153ef77ea32f220f82e8615107f73b8a35f14
SHA512 e33392a340a31d65218150a988c1802596cb090dd8426ebb216d4578c415da5bd404da5fa90d05176151ab26f6df0cffbca35fbee5d9980c16b740992d12761e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5a59f0dea4613411a8657c2ccaa27c3
SHA1 4eeeb5cac429353b9566df5ca8337d2b281374d7
SHA256 be159de383e46c53e4450bbe44022822fe0cbff6631d78368ca4d603b3882854
SHA512 b1de6f9a169992d55d9722b74a916d107f0a33201a0f826cddda4ef13ec823fbb64838f31f3d8927a455534b7c6522054932c97578b22b2e7aaed3ac50e1e83e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ef7e8ea4322dec456ae8eb5d88b0d14
SHA1 2c5d80f35983c25b966589d676510ed40fcf38d0
SHA256 41249f76c0d09262e7eba9dd4bd9823bafc17e1065f554c416dcd8724c568b29
SHA512 62f8c7b7253a704e5d9a64cf5f04668f2199bec60a7ab7178e81836a4f2e0d7821447b24b3ade1875b76b290a58c93f3b38bde1e523d464708eeeb6a2ca4cbd6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c617f6e21fcc60cd846d2b04470ca62
SHA1 8a88f7aa4b5a27c1ce56dba787973bdad493922d
SHA256 bef66ce8c600eeca26674b6ac83ab081be08858306ea7a948088c62642e7bd9d
SHA512 f39a3f18eca7acb8930f4e8fe7c8b1559196a7afbb400e4eaa79e1b2cd93227d4ab09f34dbf17bf2240957d171bcbb49c259fbe76747e1b070bc2d9df5e84216

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c1c093560eb62ff6bb43292891e4439
SHA1 8022ff2d106cb8bf4fa4cb65bb6e2dda028d6573
SHA256 994ce4a30a8ba8ee3ed75253ef61ecc2b78a35e9f8a75e747baab28103988b02
SHA512 f1740e9584ef0cf46b6719faf8a5609ae08a4cbcaf9336d7f42f11469d48750ce4df95fefaa159f5e1436037d65eb59f27dbe93c8334ace8736dbcb2ffcee439

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44f71b951790f280bcd1f45d0e32f6e5
SHA1 8232f7d2cc8f89ab5cf0b6917433e144f8ef7d42
SHA256 17e1466c77f4013393f91ad2c73438332cd8d3092bd69e3e32a2e3bda7b9de8c
SHA512 d7c1e7cc1c0a76effdfe6c1f620550ab7e9caaa193b0ae340b726e5e57d3d1f8c521df4b1b0276e9e3f5182497ae466c3b25a9afd40e3ba68830e0779e55b977

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e892a49a4b68270cc0a116cd3565881
SHA1 ab44dd7efabab5fe0c9ad16483f3b87c1286a44d
SHA256 ad3d60d67bfb4cf91116d9848291902ffabe481ec062447ae426126c640b3da6
SHA512 5d1930dd13ab2e017dc901fa03298bee5d894af08a5dba8f68212f7509c81c489e93d0c0a8bd3d8d5bfe1b21ffe43aa6eb5598acfdc4bdc36c802c2c4a268f92