Malware Analysis Report

2025-03-15 05:52

Sample ID 240627-ztlvvszhrf
Target 1781f7becc35db97f28158ce603789b7_JaffaCakes118
SHA256 144512e588badcb857a4382e4ff032c8d215b7f2571cd04a304a77d69225942b
Tags
vmprotect bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

144512e588badcb857a4382e4ff032c8d215b7f2571cd04a304a77d69225942b

Threat Level: Shows suspicious behavior

The file 1781f7becc35db97f28158ce603789b7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect bootkit persistence

VMProtect packed file

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 21:00

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 21:00

Reported

2024-06-27 21:03

Platform

win7-20240221-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\svchosts.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe N/A
File opened for modification C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425683908" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 008f6d24d5c8da01 C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4FE2F441-34C8-11EF-AB07-4AE872E97954} = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f1aecdcde40c5d40b4094c328066fa930000000002000000000010660000000100002000000004338d0bf81cd512bfef02e9b22c867a130f2804ca4607f10947133f5f95e538000000000e80000000020000200000004258d7f8ef2d766997b429d3771786d33988078a6d420a5faf4340d5db8502ae20000000c806617ba7d554f2734be7f77f963c6552ed768cc7ad8db4cc6bb44d8b1ae330400000005453adf6c25d0f69a33f157ae2e0f596979524746f74edd692a9c03fe3a9f20e2a8d1a6a2763207ae30191b21fe7a8ccb0fff795898419c41e2b88862c5e54d3 C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f1aecdcde40c5d40b4094c328066fa930000000002000000000010660000000100002000000057661d4629ed4366993e1a6ab3e0052dd0826d9425d6d1d5634f2b4a3be4d628000000000e800000000200002000000066cb55b6025b1390055449560edb2d493ea82bc1b657ba32b6d2e273cf7edfc0900000005429a194aa8faf6155320445f13f762631dd8feaf4c128ef2d2499b537e693722ff54ad851356d6e2b70425660d7c542e6728e58d57b3cc4e5e5e67ea3da53a8848b8b02a376fe921254e30c4c98872358069693529f09113331e4a10af475f1440cf3496010dbbb9b9d321a67544f657fad17574f697db89b59bde62ff4cebe3fe0382d3d573174856621f8006b613640000000611d273f7af397621863c35d33a1cbcaa3fb8c9fd61be44b02533f36e1d302d3296a1c82ea9c1cd2e95e0e803c6384e48c5858c995dfc47c27ccfb8b266d9cb4 C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\progra~1\Intern~1\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\progra~1\Intern~1\iexplore.exe N/A
N/A N/A C:\windows\svchosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe C:\windows\svchosts.exe
PID 2528 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe C:\windows\svchosts.exe
PID 2528 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe C:\windows\svchosts.exe
PID 2528 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe C:\windows\svchosts.exe
PID 2528 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe C:\progra~1\Intern~1\iexplore.exe
PID 2528 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe C:\progra~1\Intern~1\iexplore.exe
PID 2528 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe C:\progra~1\Intern~1\iexplore.exe
PID 2528 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe C:\progra~1\Intern~1\iexplore.exe
PID 2588 wrote to memory of 2696 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2588 wrote to memory of 2696 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2588 wrote to memory of 2696 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2588 wrote to memory of 2696 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe"

C:\windows\svchosts.exe

C:\windows\svchosts.exe auto

C:\progra~1\Intern~1\iexplore.exe

C:\\progra~1\\Intern~1\\iexplore.exe http://jianqiangzhe1.com/AddSetup.asp?id=137&localID=QM00013&isqq=3

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2588 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 jianqiangzhe1.com udp
US 8.8.8.8:53 ip213.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2528-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2528-1-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\svchosts.exe

MD5 1781f7becc35db97f28158ce603789b7
SHA1 17e1189aeb37734ff359ed1eb888fae974bd1c89
SHA256 144512e588badcb857a4382e4ff032c8d215b7f2571cd04a304a77d69225942b
SHA512 45ea1b95ccb43455e28e1ba66fca502017bac45a4f60ec4656d793ad1b7143865afcf1a8e05d032d3e0620ef846b2235e578f4eeed62127c6b1821a798ff97cc

memory/2528-12-0x0000000000350000-0x0000000000381000-memory.dmp

memory/2528-11-0x0000000000350000-0x0000000000381000-memory.dmp

memory/2632-13-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2588-16-0x00000000029F0000-0x0000000002A00000-memory.dmp

memory/2528-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2632-22-0x00000000003E0000-0x00000000003E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4167.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar4258.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f527d3904131ad35aa4bac70271423ae
SHA1 86703179e8334fa8735bf70c913dd31494045f91
SHA256 f85d5a54eca809cd2d3f77c86be7dc3518d8b4ccb077d76147bd1bb29749cdae
SHA512 6718880de57d263f6d60d98bd2a4fb4fdc2ed3526ef6d63b79fdcafca64a131ad520d83f8d47dae7850d22fc5b6ffcfb89ea057220aec2435af3e10c5f323c5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 deef7e0d4d8cdee943dfd548ed96afe5
SHA1 d86ca33bc27fd0aed405cfec1524efa89c73fdfa
SHA256 a239eb3a246fb315680ea6165851b0c321026bc52ae121480066b258dd356b45
SHA512 b2bb57752f5963521e8f2e3f6813e81faf0ccafa168244c07d749863daccc7043339c31e82ad5a56ab230eb9125e49392419541f958b3372843bb2458654f385

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb7222551aa3daf165f9701ba2eb3967
SHA1 e4ac39c6541146fdff5e83d43ac27ee850f09a80
SHA256 8f817cc1392b95c80d975ecbf8d32e99fc7d49a399e305cec5ff78b681155025
SHA512 88d0933a0c69f346c1725119b9a84e0cda478445dcf42e447ee93794bb2ae2853cabd54bcf47c2679a350a85fd210a1438813a1f3e408c04bfd0da418c982a26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0d209e1e8483047935268550645467a1
SHA1 628709b26351db459d7d2ef2a5bd5a678e92f56e
SHA256 80bf3a518339424943eda06e38ea6c638f411a3bfef88bf177f78c382501a680
SHA512 20e40dd5ad9f3ef7d4eac5692df0e644fb0faae66ec74942208f0aed8bf8661a1e50d7aa945128670c55f3f721a3743c82a178ec54ed0be9608401a869a6a47f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eaeec5f25df2d8414a1117f6d41d65a1
SHA1 07e1cdcc752782b800aad832b9d493bd1c45e46a
SHA256 a94c28ffd287287c2174473cd1415b0476ddf8c4a9ed2c4aaee3f395691fd1c0
SHA512 ec91f5cb9daf7ecd2eca114c8d2dfccee8a513a6f633e1e9e881245ea6d305910dd55f8f5be55799d1f42da730a92de0e2afb284b9d26d6c96ecaa0f0dade78c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d23aa1cf1953187cae363b7ceff60d7
SHA1 3cfffae4610ace3031844004e7bfc3c0b6ff5123
SHA256 2b7fbc76df6ce7929c97f4e304264e0c9c56ca6aec3c23bf49ca67ed4820867e
SHA512 1355f628c9e45abb7b7252aa309dad2e9f02915fd0b738d334bb37b5b07ad993255eed76ba2d0068d7b3f9dfa400d1d7a959e669a105f3a4687e9254f48ef2c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b91c4a35be996c0047f60ad31e0f21fb
SHA1 9fd8468075f942dc973cdc6132b2b81234f9d213
SHA256 7f9203ba68c207aff4deea93b9079e09a306479be299ce0f92eafe6fe3384b8f
SHA512 babe24216b66851139b13266927cced2103bd6e282b2bc3afe886f9b66662e01d7e350399733e808742a0dc4d63263d7887c6bb75eec11866c21a460fa8ca6b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc6207933efdebae729d56a1895ab008
SHA1 74a8199274ad4bfac4e949d5a817c07061fe933d
SHA256 2d577e311565a258846076c9ae6065f0b94c18d76b1aa04372bc9fbd982015f0
SHA512 6d9b80e25c28885148a9ff62a7dde72320f8a9e5b77ed596feb5d1c4cf335ab088a1e56eba0c7260c9c1afe222ac9d200d7164d3941208762d11429fdb6c7bf1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 806243fd0e6a16711325b25a0bcd4571
SHA1 9bd2b1af6c25f74cd281cb8adfbd6283155d9349
SHA256 449f77f8ed302d9d54af61bcd035e1a44a9df9e54b6e42178368cd36a3f85720
SHA512 43b04c5e6e048090edb43369798a0781edf7029847a7baca01fc0c323ee69aa9746a2ca1de766668b41790c583f4a40eb40f1d655219f33f1ac993990d840162

memory/2632-497-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d06c171eb4d34da7fce8438fa36203a
SHA1 e1331483aa77edb52243e399406f5a8404b419d3
SHA256 46d92cfa7846451caf6a15e0274752d6768f297e6ade0f366b2debb4199e839f
SHA512 415bec0a713317365f88be1f3cbf43f09fa624c8ac4c6c5e5e02007c6cdbb21af558002b5212765c249fc279c72fde53948a03f2365417bb4ccd43be60a0def5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f56e6c9950ca32527f94af644cb2103
SHA1 998651dd99be9c1bb80abbf06045c7cd800b4ddb
SHA256 18c7adba5250d4f3ca5361bc94038c4b188464a58055b33de89f491f6d54f46e
SHA512 05b505b086c1b47332db08a2c3575055e96628af590e4b2fbd2830a05179e4b440e5ee87af5bdaf9e1954b9b74b469ce79d65f3d7dae5a02ed2b052f7aa12c50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52e142141c20bf9f553813eb5937bc8d
SHA1 17c787f98a613d7de804a7239fea82e8d42f6d27
SHA256 7ccef987ebbc3eca23795fce2e3ba79599ce106e619af9afc61976bb0ed4b272
SHA512 863db5b7e90c115d1b7f6183f112faa1c836f8e35842f999145d7196e4c48b2ac9b7242ddfba2a6bf7a20fd8d2a0e7521d2fffef72f5e484404558beb21f89b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f1265c1df3499a2bf9265c784e09b12
SHA1 2228a5d64f5484e541fc605e768198c78ff2b5c8
SHA256 196fdcc9047bf74453d68e1a38c80955a65761ee286a777ea3816dac39569e37
SHA512 6779da44ca9f372a093d7693366a6933f2399216409d4d4342ed76f0d899bb1e89ddb221d567bd82dafbd2811e5d05a2fe1e67cbf0dcb9f68231c2995384deab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7c5f464ab1b519abca1f7f26119daa4
SHA1 5a501fc367f4b04d94e0f8a130506fa446829d0b
SHA256 50a3c113bd9749c251fa1d53179a7f2c18c4f1eba1169b9d1adb730510fedcbb
SHA512 1f79c5f5c72a6c1e865f12b2c181cd908c3342214fd53ff31f157dcebe26a1f7bf916f2fa30ffe324c69c850262889d07adc3d18f59992a1d3c4f995761c2dda

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 216fddc7047bd8f7a5999e2de21de7c9
SHA1 583d90d77f027f779907ebc60dfcbe219ae3809f
SHA256 ec7efdcab9bdeee39769bb8c76d2c91f793a5c84137bfbb0044f3568c44defa5
SHA512 28f3a7eddef0ae194a18ab7ee8c4fca3436beb430a42c8ca672de4a1f6218b852c7dc2c376b0f55964e42c56646930eb162e1f131a766bc61a9d40b7f1d5166d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b18068dfd84884c08d28eb981ce1e7e3
SHA1 44388650e588f1debb801b72f04ee96a2e95555a
SHA256 4972f14052074f3b20ff9dbee91fce3c89518456a3975b3314ee7759a90aa39d
SHA512 2e1284186713bd4d7ece1242f80a8c7a5d93664715a1392533ee42156c4835be2cca05c96e45f275160e57b768117505f1a73ab5598b263c10183ebd693de5be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1b8ac8630585abd489ba7554dffaeca8
SHA1 d1b0bbfed84427ae0aa768b860c80a17813e0f0d
SHA256 135c83e86358930369fde9909744fd9b674da875d8e02bb1926cd212ae8274ca
SHA512 fd3c7c0e25725a4fe055b0dc4a481ea9351c84ccf2a2ed2afc24f34ccf27bbbf40ffe07e02081933ada16334d1154213a26146108abda92445ae7f001c54c8c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2cdea9a7652560cd251f81a015ce6f9
SHA1 d066385fdb5fd667e819252cfc57bc50bf8c8b9f
SHA256 dd13ecf481576242715ecc8fd30ce17e25a61f138ca533e99abe2e6058eb1008
SHA512 1db539bf42bb1193a60462ba7da60e20e967e96bab3016798aaa45c3c832d9f0fcc9bfef72cae20cc9baf5c8062cc3f23a5c4cd8b5e487f59dcfaac4b6d46798

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 21:00

Reported

2024-06-27 21:03

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\svchosts.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe N/A
File opened for modification C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4FD12F4E-34C8-11EF-9519-5ABC67A14C95} = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115477" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e4d024d5c8da01 C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115477" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 905ada24d5c8da01 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef862600000000020000000000106600000001000020000000160d988c47a2fd8a9840f9b2cc8f349b4c80d7bce737b6432fcd0e4139b2d293000000000e8000000002000020000000707811500ef9b266e11cf070e85ec9ea092ebc36618452f15b24db6357c76279200000003b5a60dce5044a4365e3f4d873bf921f5d28b320a9f6faf0b14c9da86cdd8a0e40000000336be863ec3342d8a9d95c89cd0ce1149040ac93620503b8c164dc6bae02e0d96b5113d1f94d4e6ec5a4977260ab95784f53ee3baa32b3d5f25c1a379d7cf188 C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "607359941" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "609547811" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "607359941" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426287015" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115477" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000009fca470b0dc72368a23c2579e19e53a5b21c34ff6a8c51763ac08e0263c1a562000000000e8000000002000020000000594bab327506be554e618fdc049fcbd74cfa056b683c6f3eff88188190c10df320000000d6fa88106e9b390abeed6c38718bf84d5e6e838a48c59d32b19ae34dc406b45d400000000eacd2c398fcccb6a3eaf0e178d955986d8faffcea4716a999d127535efde924cfad0c0c8ae14629fb747a82599c4892772733c9b6d14a0fc52dde101fe828d0 C:\progra~1\Intern~1\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\progra~1\Intern~1\iexplore.exe N/A
N/A N/A C:\windows\svchosts.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1781f7becc35db97f28158ce603789b7_JaffaCakes118.exe"

C:\windows\svchosts.exe

C:\windows\svchosts.exe auto

C:\progra~1\Intern~1\iexplore.exe

C:\\progra~1\\Intern~1\\iexplore.exe http://jianqiangzhe1.com/AddSetup.asp?id=137&localID=DD00013&isqq=3

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3176 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 jianqiangzhe1.com udp
US 8.8.8.8:53 ip213.com udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 jianqiangzhe1.com udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3552-1-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3552-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2984-10-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2984-9-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3176-23-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-33-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-40-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-44-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-43-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-39-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-42-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-41-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-46-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-52-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-53-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-54-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-47-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-55-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-60-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-51-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-45-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-37-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-35-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-32-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-31-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-30-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-29-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-28-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-67-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-68-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-65-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-62-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-64-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-63-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-75-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-73-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-27-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-25-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3552-90-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3176-22-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-21-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-20-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-19-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-18-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-16-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-17-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-14-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

memory/3176-13-0x00007FFC09610000-0x00007FFC0967E000-memory.dmp

C:\windows\svchosts.exe

MD5 1781f7becc35db97f28158ce603789b7
SHA1 17e1189aeb37734ff359ed1eb888fae974bd1c89
SHA256 144512e588badcb857a4382e4ff032c8d215b7f2571cd04a304a77d69225942b
SHA512 45ea1b95ccb43455e28e1ba66fca502017bac45a4f60ec4656d793ad1b7143865afcf1a8e05d032d3e0620ef846b2235e578f4eeed62127c6b1821a798ff97cc

memory/2984-93-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 65ab4d32251bda2022c64cb66ce440d2
SHA1 bb70242964638ef1feb0a2323b71fe383e01aca2
SHA256 df7287484d30ed3dd8785c145fcd7802890d57e8970f264dd638d9be86cb1888
SHA512 b1c0359c398ff92fd35fd1af5e5103337af8c5057152521e967a9724bd7482997f89192ae04a7255b3609103a7e88272c819668adb41565bf0d34bd0c39e74b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 fa34ecb8815a2d98849888cb1cdbf38b
SHA1 84fd0e04586009efb3683c98da8d9aa41487cd42
SHA256 5077a54924f80491a74ed78bbd73ff7bf85a27caddb80ceaa9ccb86f8b9a11be
SHA512 ccfdb76ccedd0076601e17272d346229e2b9c0dd884c09bb7701b32c5dc177da8a91bb539ce751297d8ea44716fc497e8a337a9499c93a474ba85915f28f1053

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee