Malware Analysis Report

2025-03-15 05:51

Sample ID 240627-zh94bascpr
Target 17752f2da51816eaa4072dfb75b879f7_JaffaCakes118
SHA256 eead66bab28b7cac9b750e0d275118ba39547ac3f5cd3019ba5f3724a37332d2
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

eead66bab28b7cac9b750e0d275118ba39547ac3f5cd3019ba5f3724a37332d2

Threat Level: Shows suspicious behavior

The file 17752f2da51816eaa4072dfb75b879f7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

VMProtect packed file

Deletes itself

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Enumerates system info in registry

Views/modifies file attributes

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Runs .reg file with regedit

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 20:44

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 20:44

Reported

2024-06-27 20:46

Platform

win7-20240611-en

Max time kernel

119s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\urlzm.exe N/A
N/A N/A C:\Windows\iesuo.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Internet Explorer\SIGNUP\iexplore.exe C:\Windows\iesuo.exe N/A
File opened for modification C:\Program Files\Internet Explorer\SIGNUP\iexplore.exe C:\Windows\iesuo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\urlzm.exe C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\iesuo.exe C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\yx.ico C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\mm.ico C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\mp3.ico C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\ico.bat C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\dy.ico C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\cy.ico C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\taobao.ico C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\ico.vbs C:\Windows\urlzm.exe N/A
File opened for modification C:\Windows\RegText.reg C:\Windows\iesuo.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5039fcded2c8da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425682928" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000001370e7a610a1378fd43e90569d271d82c8d06ba03fedd0821d1401c7306aa1f7000000000e8000000002000020000000f65ba3c1fc35cbfbc5aeee5d18f61e0a9d59660a18edbd56e3d19e88f9d41d149000000063eafb2225f8da85fcbb102caaccca0f1bc7e5fcee399a696f925065191dfab7e07dcfab07cbac449155efde51656acf13d038ba33befdd3fcdfdd9896d09e4275d7c4104a9daddeb1ac94610e90c3a663f390551141a9bfeac72718e9f081b60ea6dbb10c5f184804b7f3622092b34bd48438a0eba4ccee7f2789395e82916a6b2eb6edd3df4c2687499896baf6ab754000000000bc260512272885606faf52c8f2186ddfe818499c05044b077b0250fe60086fb7a5e2b9293a919bb90281f45ce8c1aa51d8540c4523025e68d40e52f72503e8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{078AF961-34C6-11EF-B267-DE271FC37611} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000a0b8c1cc282128be7da84347e47a0a731e75ba39ae059a6ebe60df32faa482a2000000000e80000000020000200000000b1d5a5b80992bba06d6c0494967c1c0f0191259a7e5d20fc715bcbc6be3ff0d200000007975bad06e478fd14201301fb35b281d62ec3a48ff4d53d90185007f47a067ce400000008ac67aa631f75078d31c22bcaef21c99c33cc26e19a2febcbeac2efcd4705463d98b72b09454d1c0369fbbaf430a55a748252ff7390f8373ce1d3f2b4ec27178 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E} C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\ÊôÐÔ(&R)\Command C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ = "Internet Explorer" C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\ÊôÐÔ(&R) C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\ÊôÐÔ(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0" C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ShellFolder C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\Open(&O)\Command C:\Windows\iesuo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ShellFolder\Attributes = "0" C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ShellFolder\ = "HideOnDesktopPerUser" C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\Open(&O)\Command\ = "C:\\Program Files\\Internet Explorer\\SIGNUP\\iexplore.exe %1 h%t%t%p:%//%12%10%17%18%10.%c%o%m" C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ShellFolder\ = "HideFolderVerbs" C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ShellFolder\ = "WantsParseDisplayName" C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\DefaultIcon C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe" C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\Open(&O) C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\Open(&O)\ = "Open(&O)" C:\Windows\iesuo.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\urlzm.exe
PID 1656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\urlzm.exe
PID 1656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\urlzm.exe
PID 1656 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\urlzm.exe
PID 1660 wrote to memory of 2380 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2380 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2380 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\cmd.exe
PID 1660 wrote to memory of 2380 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\iesuo.exe
PID 1656 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\iesuo.exe
PID 1656 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\iesuo.exe
PID 1656 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\iesuo.exe
PID 1660 wrote to memory of 2644 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\WScript.exe
PID 1660 wrote to memory of 2644 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\WScript.exe
PID 1660 wrote to memory of 2644 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\WScript.exe
PID 1660 wrote to memory of 2644 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\WScript.exe
PID 1660 wrote to memory of 1728 N/A C:\Windows\urlzm.exe C:\Windows\explorer.exe
PID 1660 wrote to memory of 1728 N/A C:\Windows\urlzm.exe C:\Windows\explorer.exe
PID 1660 wrote to memory of 1728 N/A C:\Windows\urlzm.exe C:\Windows\explorer.exe
PID 1660 wrote to memory of 1728 N/A C:\Windows\urlzm.exe C:\Windows\explorer.exe
PID 2644 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2644 wrote to memory of 2816 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2544 wrote to memory of 2076 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2076 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2544 wrote to memory of 2076 N/A C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2816 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 3068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2816 wrote to memory of 2764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2076 wrote to memory of 1452 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\aa.bat""

C:\Windows\urlzm.exe

urlzm.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\kill.bat""

C:\Windows\iesuo.exe

iesuo.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\windows\ico.vbs"

C:\Windows\explorer.exe

explorer http://t.248.la

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\windows\ico.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://t.248.la/

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╠╘▒ª╠╪╝█╟°.url" /p everyone:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╫¼╟«║├╧ε─┐.url" /p everyone:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╕▀╟σ╡τ╙░.url" /p everyone:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\├└┼«═╝╞¼.url" /p everyone:f

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╔╦╕╨╕Φ╟·.url" /p everyone:f

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\╫└├µ\╠╘▒ª╠╪╝█╟°.url" +R +S

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\╫└├µ\╫¼╟«║├╧ε─┐.url" +R +S

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\╫└├µ\╕▀╟σ╡τ╙░.url" +R +S

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\╫└├µ\├└┼«═╝╞¼.url" +R +S

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\╫└├µ\╔╦╕╨╕Φ╟·.url" +R +S

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╠╘▒ª╠╪╝█╟°.url" /p everyone:R

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╫¼╟«║├╧ε─┐.url" /p everyone:R

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╕▀╟σ╡τ╙░.url" /p everyone:R

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\├└┼«═╝╞¼.url" /p everyone:R

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╔╦╕╨╕Φ╟·.url" /p everyone:R

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /S C:\Windows\RegText.reg

C:\Windows\SysWOW64\cmd.exe

cmd /c del iesuo.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.248.la udp
US 8.8.8.8:53 t.248.la udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1656-0-0x0000000000400000-0x0000000000492000-memory.dmp

memory/1656-1-0x0000000000400000-0x0000000000492000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aa.bat

MD5 c39cf11a65520ba86f428c34bbe8729b
SHA1 4bdce91b5c7ebaa7b8bcc380596b34f06d82d9cc
SHA256 1809630e00b7ba038d2e410453e5146ebea82e15bfa0b281bcd6731605536e0f
SHA512 16f50fa9563f5e7b29a3546f655b2e9341cdde3ef3067e8466bdf29b8ceab9f27768dc63968286320f1c2f7e32b40c7fb19564806d9e7405ef2efaddf7c1a755

C:\Windows\urlzm.exe

MD5 cdf7696202055858ff628092f1c8079d
SHA1 832aa1caef5ff8e13f61294986bc3e29e350b3d3
SHA256 834ca6b6eca8283c950f356f09c12014b7298908eeda2f985c4d920ef97a0a71
SHA512 58232e3989e8ceb89be572bc896af4da745bbbe4f9b3a61f47f64f77024f628d455d4b24246e1600f512cfef2f5caa554dedf6909a4211ed0a13cc28159926b8

C:\Users\Admin\AppData\Local\Temp\kill.bat

MD5 6e20b488c8a63efb442c99fa1b774350
SHA1 5e8350ffa682d04713d1330c2fb695a9ef63e200
SHA256 47601bb87d8dc469ce3917a57acd225d7a722aeb8cc00e14b5a0916ca0b79487
SHA512 c7306d2205ea729275704f3e6bac749dc7d6a3f3266befd5bac0c34a9861b90b9edf9f556d6da74da80b217827ba4f1477c0e22382e2b7dbf6b8748853b0a711

C:\Windows\iesuo.exe

MD5 cd793db0e7732df59509819a9dcab205
SHA1 21dea26481e08c11793aa4c62fb4b25d5d8a03e0
SHA256 1615e8f4beb8eb2f25a5cbc2b8eb79c5b2de3dc14cbc77be4b881975584842cf
SHA512 1bef34188b57a82bccfd5aa4293b3c08e001ea4c9c348fbfe20e64ce61c6445564cff8ac964d2d5257d6232ec5a5b0e145f940e1f7158d0cbe170da077ac4c0e

C:\windows\ico.vbs

MD5 a1bb4a347f1d8506df362f997d31145b
SHA1 7da20159ffc308c0d7e0127b7afcbf8b1f3886fb
SHA256 0492f2a51255aa2bd5979fd5f4f0fd6539f08c85006c34123f204b0b49c8dfc3
SHA512 76a0c7d383bc2cd9eb838f48bb310e7a778bf2897c393aa47ee238fa89e8811e87e55b7f1b9027d26a207c303eecd065047d87a2cd8d4dfc198e4e5bad67f428

C:\windows\ico.bat

MD5 b6fbd77f9dcfafcbde0b51e62107c9f5
SHA1 884c06bf9cdef016418724a65529cc906157b61d
SHA256 59cc52947185c4e52f738455a6083b9593e4f58f89a2e212a37abfcf03d335a9
SHA512 b488b8926071d46a554a5f1b25b3aae7a5b7425155e692ddb48f1d26c31a6ab6b611757e7109ef99e2fc58cde4f33bb1cf33a09b5352fd08238f8dc7f9cbbd8e

C:\Users\Admin\Favorites\╔╦╕╨╕Φ╟·.url

MD5 6b2acb5da930b408e1add6d7b794ead7
SHA1 4febf0b63e4c6a40f88b2ba7fcdcbc32b017a9f0
SHA256 98a1d62e94aeddcf26a30d0b356b0b48dfdff0a09fff298e716f789070be2479
SHA512 bff462c7d26cc55dc4f3ba17a699d00109858d61cddc716e9d8cb51452324fe96b89de5146e00b4c5e8a549511387cc3a430f7a2820c1d3c6ea753478031ea2f

memory/1656-69-0x0000000000400000-0x0000000000492000-memory.dmp

C:\Windows\RegText.reg

MD5 538f4e3b2be9afb04d26345829b2bd72
SHA1 7ca7d0dede8e2f13f3db026b8d8087aeb223ff5a
SHA256 7f7055a6db720fc2d107ba761746f34529149d21704bee987774cc2552b3fe4e
SHA512 96ee8c9811a67bbb2e31b184cba2adae8ddcefd11df9ca7b70e7aca069fa812717f7c18f6e69fcec92184593e4632ff6ed71564db5817ed0fdbb3a5fd33acecb

C:\Users\Admin\AppData\Local\Temp\Cab393B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar39CC.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42fe98c333edca3d952c51dbf2e9773f
SHA1 448fe7afaf716cbe38572c6ea85816171fb02020
SHA256 808593e7df2d1021b1e9f1d73658c93d74ca7ef35e844d35af48b131b0274c25
SHA512 3bba7d5a3cc2fe25d2d68ed6d422cf58f6b43a7bc8ab9615109cf499c72064deee8e16d99e8d4bcb5a19e507d9c64fb93023b6e6d829e2be341e72f0c66ad1ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de6015fddd480894e171fb71cc6bfc85
SHA1 96003b884934ce8ffe3c2576b47457fb36601563
SHA256 a336fb17cd83501a9364cd1d2479adee75b9e411cf503aa7133b328b02572ded
SHA512 c0918b058ea7eeda4443d20608cd9fc4168d33955037be0d95d911f4caca23a4beba39abeaf734298e0f8278936c99ae095b1bad440dad25b15cecb906ce1121

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbbafff20c8ae35b0339bcba89c4a7d8
SHA1 d7e93aab011098bd1d3948b1fe1af62c79df60d0
SHA256 e20674c4043ea371c013dc8a162cb148c8a43815c7bc32edf759d6cb4494eff3
SHA512 7490a7789e55c9f63fa0a3c476b09216caaf5236f7a86eaec26709e418b02eb9514411e5d4928a9822287cdee8ea704866e9e6db4e193f0a6079c63ab52c77e4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d5cd1307f45bff4d6523a0c5b4c013c
SHA1 0813b81f98ad2758ac2bba8f6f9ce472e00eac23
SHA256 e451721846b0986fde48e31b4436c511f5453cd040907b55c028ee48ed29eee1
SHA512 c49dd5e4c867abc717395f42e6f7bdbff1499c6c5bf49ff2f27b6ec9f4ef65447b38ecca6bf5bdb03acfca88b29d0d22a5ced3c8e0fcc841cc5cdb5aa6303b11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d33624f31f6c9be6aa3e729d678a7937
SHA1 a7f0176e4abbd0ef95e8a874aa0f341a18b6588d
SHA256 640eaf095a16eccc6a362ddf0f04911f16a19bc9f3a85478ef33942c1194dc86
SHA512 0f43e8e2ad96fcbc670601685f1a072a03874e8091de94561c85fb014878ce13655f5bf8574109f1ed327aeaa1b5ab90245bc69b551b08283b357a55a0f6336c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8386c4a70e6aa8e84e5eb7d075131f72
SHA1 d94b79fbec4a4ce2b69d93bde6c3b1d10115f6d2
SHA256 c970b12d428dcf3dd266a05d5a46adb5c14d15a325ec4f73c1dc7e61cafd9f40
SHA512 3fe0ec4b2a3bffb6785e139a78b67d32ef0569a1f5db437b65aaeb215106f01581ee7a5ea3674d7f76112d369e37e37b1af6f519a2a4d625e3453f37825735f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be5623aeef1650ff99107626dff5b8a6
SHA1 f4b8d734976ea9985020caf7b6e350f21325b10f
SHA256 b6f801adbb02b35d026452bc5be102a382070315d6a3c665a6ddaa0ab202ebe3
SHA512 bc60d189490022abdeb8e4c5daa68c019a1af9e1f6114141aefec84ef8140506374a3aac08d6e3d19964d6a95e2adcd6683ec2dca47ff05363aeffaa8bac8d78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 251fc14522200b23c03fa0867b6829e6
SHA1 9686a7d59c5ebc42ed548b8e03e94908df376022
SHA256 402236c4bc2244e41dc0f4c43f53a0011936f1dca3886b92a9be631ff6e9d034
SHA512 3295ba377decc7e8dcc7f5b1202f25be0ba9d21ee1601813285373d47b28ce0b66eadafbb1cc30a338aacdc04cdaa80391dcf778c47828d3c921129629b08ff7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 582342e4a95084537c498d39c13085af
SHA1 9ecb708ffe90989e3779b3ac7bfe2b1745a7d14f
SHA256 8e05144aeaf48bfbbd04588bd65bf3f701fbad338ab79dd6a08f87139721fc58
SHA512 5e86ac113f6b8f16cfaeda937651a5f0540e8fa11ee51856b124fb879b04beeda5a8da79b9d4f344615e5d3507f2bfa10074e93ed27faaec8bce72f1364b6fdf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ad66e236322010c966033ded71eed2b
SHA1 e9816c0615e8c9bd9c5c8bf574341fa7c5451178
SHA256 2250de2f2b552d436de4f6e11201e34d22c7493517bceb83515c7abebc49ebbd
SHA512 be165a19628361540f793940bf7f9cfff195c7fe508a33677fd085b4d5db73af97acf49aabef4d02ff73a5182a144addf983d3a13f8ea6a0c7010544867f22fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba4186520dbcba951d65000aa9547e2a
SHA1 a1818e9714775e1edf914bc75a89a886f85642c0
SHA256 487c19665f8812a79d6e667d6931ff296004c4dc0054148a58c65c6fb5a6ce3c
SHA512 d725f23c7f66ebe8049125f8711e83bb36715f28f0139559bc7638f2b55eee32e6785f86a8ddeab2df8d919a39f99ce55d17948f45d3fedb03906bcc7a3658d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dde90a4966978ae9f2bff30c480c5e9b
SHA1 3f07715802cfe06113850267ce83a82f8937c2d6
SHA256 285d4464cab1636f7c38f104a62e91de214072918403efcb9517adb72ba26ec5
SHA512 5520be40182aa476b59a5379edd2d12d1db99b277d475fffe196977eab36dd2b940e339e60c6058f9bfcf59b1fb1fee25e3f8fabec6e59c1d33056a8256e57f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20bb47754048867454e1d42f3032e1ad
SHA1 399f50bb7ee62abc3e419c4667c50c7eb2178bc5
SHA256 7a3000e5dc3f02dd4bf82f5cc45882da39341fbee181cf4dfb5a6fe11f326dad
SHA512 6c6b79a44fb191d16edae03f3fcd5fdde56a637a2ef5a6f855a85ec8a8eac5a6a7c993761601cff0bdb830090ce7e2df35ea632d7fd60f5c8b1079aa301c7ad1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 199629de119370e781fd0fd779817a3a
SHA1 3ff744809b41a345b2d8f8accd4504a4ecbd3149
SHA256 523f2f7cfec32fbf7a78ecd55bd5fb47a93369d2afe9fabf165f0b70f5980d0c
SHA512 a2db4b39dcafdac98221786b38aa58aff2a4a0d1124e547df37dd880e6bec76f53c905b44f2664aa8cbd14d9507947b2ff1151c22d64fd5ae1b9e31659033296

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be8d47664977086e9f9641be8e32bd19
SHA1 6ed9dfc2e8c6a3b33f2f7bc1af338534b1227490
SHA256 7c1a5e1dadd9f93a55a1e679fc7868f981688b80d794500b2584352af4e762eb
SHA512 2018635e2e5efef4ddc072140cde95e48443fae6e66a8e93fdaf60ec7f81c101770ffa71b48630a6839bab948d43a673a2d83db1cdb993847277b286749b6052

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac4c58dfabe76c6f62779cbe2328e733
SHA1 7760a89b975e44226060f39348495351ec84c631
SHA256 3cb947c2daf6d79ca0e2e5a9469084f9479158d82bfe9d0638aa214d1edae202
SHA512 e6efacd36267994a87c5502d1218ac6965fd36d09e821e6ea2bd5ae034f11c5574aa23050f7a8d458631aa953015fc3c1d4efc7fdbbbd3f12f1eb0f1359e0486

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4fb2fa4cdd1845c7ed4c03b604aaf591
SHA1 c40bb7f6e752863dc5e354999e1b58b7b2da13ce
SHA256 25c86ebdd3a725ebef0c59f574ab72cc06a84d73eef2364a610a7a0c4d09f0f6
SHA512 a3e7e6c79640bb5e95c81394aa91eb702abf3d6b76a11394a20a991cf872b8495701435fa8c852ae2a4421f219a93eac5e6c2d5daa7bce7201e6eaaa4ae2adde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4082b9d3d37ca29d5084e23ad6d1dee0
SHA1 9fcaa2984929fcfe2ca7f8dd183d4cfbf2a107bc
SHA256 85ce7dcdcd886c41e9b07fcedf888b0579ab4b3d6114741f40010be4a8221957
SHA512 4c9d86a3b0358a0e2d002ce13dc318b478e8e5d6fb8e66a7f792cfa5eb512aef9cea2b4957b49ffa64950589cdefb0708b59650d85d20d1674e97292d280e5d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89f13eb2b6ad3405619b5966fda94087
SHA1 30442bbf21226bfb69ce168bd03a34a766c3223a
SHA256 deabfeb946c3bf16de7fb8273a42e0d2ce29ce966ec23b7da9eea9c4d71caf0a
SHA512 e15a1d5fb372bdfcfde521c583b5ea15cb682f57348b36f44b3f895e03617c781493bbb2099a51c095762bd70fcd813406adf8ef78833833fbc2521485d9b69e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 20:44

Reported

2024-06-27 20:46

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\iesuo.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\urlzm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\urlzm.exe N/A
N/A N/A C:\Windows\iesuo.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Internet Explorer\SIGNUP\iexplore.exe C:\Windows\iesuo.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\iexplore.exe C:\Windows\iesuo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\cy.ico C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\mp3.ico C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\ico.vbs C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\ico.bat C:\Windows\urlzm.exe N/A
File opened for modification C:\Windows\RegText.reg C:\Windows\iesuo.exe N/A
File opened for modification \??\c:\windows\urlzm.exe C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\mm.ico C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\yx.ico C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\taobao.ico C:\Windows\urlzm.exe N/A
File opened for modification \??\c:\windows\iesuo.exe C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe N/A
File opened for modification \??\c:\windows\dy.ico C:\Windows\urlzm.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\Open(&O) C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ShellFolder\ = "WantsParseDisplayName" C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E} C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\Open(&O)\Command C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\ÊôÐÔ(&R) C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ShellFolder\ = "HideOnDesktopPerUser" C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ = "Internet Explorer" C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\DefaultIcon C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe" C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\Open(&O)\ = "Open(&O)" C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\Open(&O)\Command\ = "C:\\Program Files\\Internet Explorer\\SIGNUP\\iexplore.exe %1 h%t%t%p:%//%12%10%17%18%10.%c%o%m" C:\Windows\iesuo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ShellFolder\Attributes = "0" C:\Windows\iesuo.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\urlzm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\ÊôÐÔ(&R)\Command C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\Shell\ÊôÐÔ(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0" C:\Windows\iesuo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ShellFolder C:\Windows\iesuo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF5D0589-76A7-AF11-AB16-59306CC8D88E}\ShellFolder\ = "HideFolderVerbs" C:\Windows\iesuo.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe N/A
N/A N/A C:\Windows\urlzm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\urlzm.exe
PID 4584 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\urlzm.exe
PID 4584 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\urlzm.exe
PID 3628 wrote to memory of 2492 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 2492 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 2492 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\cmd.exe
PID 4584 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\iesuo.exe
PID 4584 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\iesuo.exe
PID 4584 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe C:\Windows\iesuo.exe
PID 3628 wrote to memory of 2128 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\WScript.exe
PID 3628 wrote to memory of 2128 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\WScript.exe
PID 3628 wrote to memory of 2128 N/A C:\Windows\urlzm.exe C:\Windows\SysWOW64\WScript.exe
PID 3628 wrote to memory of 5064 N/A C:\Windows\urlzm.exe C:\Windows\explorer.exe
PID 3628 wrote to memory of 5064 N/A C:\Windows\urlzm.exe C:\Windows\explorer.exe
PID 2128 wrote to memory of 644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 644 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 1332 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 3640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 3340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 1664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 2472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 4992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 644 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 2084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 4964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 644 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\17752f2da51816eaa4072dfb75b879f7_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aa.bat""

C:\Windows\urlzm.exe

urlzm.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kill.bat""

C:\Windows\iesuo.exe

iesuo.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\windows\ico.vbs"

C:\Windows\explorer.exe

explorer http://t.248.la

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\windows\ico.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╠╘▒ª╠╪╝█╟°.url" /p everyone:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╫¼╟«║├╧ε─┐.url" /p everyone:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╕▀╟σ╡τ╙░.url" /p everyone:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\├└┼«═╝╞¼.url" /p everyone:f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╔╦╕╨╕Φ╟·.url" /p everyone:f

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\╫└├µ\╠╘▒ª╠╪╝█╟°.url" +R +S

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\╫└├µ\╫¼╟«║├╧ε─┐.url" +R +S

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\╫└├µ\╕▀╟σ╡τ╙░.url" +R +S

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\╫└├µ\├└┼«═╝╞¼.url" +R +S

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\╫└├µ\╔╦╕╨╕Φ╟·.url" +R +S

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://t.248.la/

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╠╘▒ª╠╪╝█╟°.url" /p everyone:R

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╫¼╟«║├╧ε─┐.url" /p everyone:R

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╕▀╟σ╡τ╙░.url" /p everyone:R

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\├└┼«═╝╞¼.url" /p everyone:R

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c02046f8,0x7ff8c0204708,0x7ff8c0204718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\SysWOW64\cacls.exe

cacls "C:\Users\Admin\╫└├µ\╔╦╕╨╕Φ╟·.url" /p everyone:R

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /S C:\Windows\RegText.reg

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

cmd /c del iesuo.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4402538851279165383,13127434301316245545,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1316 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 t.248.la udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 t.248.la udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 25.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 t.248.la udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.248.la udp

Files

memory/4584-0-0x0000000000400000-0x0000000000492000-memory.dmp

memory/4584-1-0x0000000000400000-0x0000000000492000-memory.dmp

C:\Windows\urlzm.exe

MD5 cdf7696202055858ff628092f1c8079d
SHA1 832aa1caef5ff8e13f61294986bc3e29e350b3d3
SHA256 834ca6b6eca8283c950f356f09c12014b7298908eeda2f985c4d920ef97a0a71
SHA512 58232e3989e8ceb89be572bc896af4da745bbbe4f9b3a61f47f64f77024f628d455d4b24246e1600f512cfef2f5caa554dedf6909a4211ed0a13cc28159926b8

C:\Windows\iesuo.exe

MD5 cd793db0e7732df59509819a9dcab205
SHA1 21dea26481e08c11793aa4c62fb4b25d5d8a03e0
SHA256 1615e8f4beb8eb2f25a5cbc2b8eb79c5b2de3dc14cbc77be4b881975584842cf
SHA512 1bef34188b57a82bccfd5aa4293b3c08e001ea4c9c348fbfe20e64ce61c6445564cff8ac964d2d5257d6232ec5a5b0e145f940e1f7158d0cbe170da077ac4c0e

C:\Users\Admin\AppData\Local\Temp\aa.bat

MD5 c39cf11a65520ba86f428c34bbe8729b
SHA1 4bdce91b5c7ebaa7b8bcc380596b34f06d82d9cc
SHA256 1809630e00b7ba038d2e410453e5146ebea82e15bfa0b281bcd6731605536e0f
SHA512 16f50fa9563f5e7b29a3546f655b2e9341cdde3ef3067e8466bdf29b8ceab9f27768dc63968286320f1c2f7e32b40c7fb19564806d9e7405ef2efaddf7c1a755

C:\Users\Admin\AppData\Local\Temp\kill.bat

MD5 6e20b488c8a63efb442c99fa1b774350
SHA1 5e8350ffa682d04713d1330c2fb695a9ef63e200
SHA256 47601bb87d8dc469ce3917a57acd225d7a722aeb8cc00e14b5a0916ca0b79487
SHA512 c7306d2205ea729275704f3e6bac749dc7d6a3f3266befd5bac0c34a9861b90b9edf9f556d6da74da80b217827ba4f1477c0e22382e2b7dbf6b8748853b0a711

C:\windows\ico.vbs

MD5 a1bb4a347f1d8506df362f997d31145b
SHA1 7da20159ffc308c0d7e0127b7afcbf8b1f3886fb
SHA256 0492f2a51255aa2bd5979fd5f4f0fd6539f08c85006c34123f204b0b49c8dfc3
SHA512 76a0c7d383bc2cd9eb838f48bb310e7a778bf2897c393aa47ee238fa89e8811e87e55b7f1b9027d26a207c303eecd065047d87a2cd8d4dfc198e4e5bad67f428

C:\windows\ico.bat

MD5 b6fbd77f9dcfafcbde0b51e62107c9f5
SHA1 884c06bf9cdef016418724a65529cc906157b61d
SHA256 59cc52947185c4e52f738455a6083b9593e4f58f89a2e212a37abfcf03d335a9
SHA512 b488b8926071d46a554a5f1b25b3aae7a5b7425155e692ddb48f1d26c31a6ab6b611757e7109ef99e2fc58cde4f33bb1cf33a09b5352fd08238f8dc7f9cbbd8e

C:\Users\Admin\Favorites\╔╦╕╨╕Φ╟·.url

MD5 6b2acb5da930b408e1add6d7b794ead7
SHA1 4febf0b63e4c6a40f88b2ba7fcdcbc32b017a9f0
SHA256 98a1d62e94aeddcf26a30d0b356b0b48dfdff0a09fff298e716f789070be2479
SHA512 bff462c7d26cc55dc4f3ba17a699d00109858d61cddc716e9d8cb51452324fe96b89de5146e00b4c5e8a549511387cc3a430f7a2820c1d3c6ea753478031ea2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

\??\pipe\LOCAL\crashpad_4132_QLZZXGUWGMZBXKQU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9b82f9d9daa14ad946014585e8d33ae1
SHA1 20d7c79408ae153949d5e3064a97e93d1ca7e9c9
SHA256 1994e2e00a243abebc77d88e87be01399cca339a900908e2c6433463d5476b2b
SHA512 aa16a0640e4cbe786c536dafae35e4d531eec7d79abda6cc903c670699343f2c9005813c6f494586470d8055055b6d401ec8f94a2571e47138a5a25c8c9b5aca

memory/4584-77-0x0000000000400000-0x0000000000492000-memory.dmp

C:\Windows\RegText.reg

MD5 538f4e3b2be9afb04d26345829b2bd72
SHA1 7ca7d0dede8e2f13f3db026b8d8087aeb223ff5a
SHA256 7f7055a6db720fc2d107ba761746f34529149d21704bee987774cc2552b3fe4e
SHA512 96ee8c9811a67bbb2e31b184cba2adae8ddcefd11df9ca7b70e7aca069fa812717f7c18f6e69fcec92184593e4632ff6ed71564db5817ed0fdbb3a5fd33acecb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d92ffceb43ca8ee715c85e926216b07d
SHA1 7e97f82592f8261fcdd20e8cc013d7308c3003c4
SHA256 6bb5c1870adefe96f064e46e1b5b877151a2e09fc7174c9b796f6178faeadd5a
SHA512 d818181269f02e1bd494ebe63086a5dd1dd314b911d5e7c77bd00c000d18aede87afd6ff51576354a4bbf74ba99ed4f58ca7297edc46c425911ed6f61453084e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d795f92c0ca97353589790ec939bea1e
SHA1 8d1e9277dfc5ceb673e99467dabb5fc086d63f0d
SHA256 cd93c1ba9d536aaf2455ac39d24abd911a126a55d68eab18d1bff5ee797fb596
SHA512 10369cb4857bf6424bb09579a1d0f0f2eed8c05064b03451fdeda446f281d990870e353b0b72cc51d9049c68da8f8c37e573960b9e9296d83dae5ab1af6adfbe