Malware Analysis Report

2025-08-05 09:35

Sample ID 240528-bwkhtaag64
Target 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118
SHA256 cd59596c31ef8ad0b85b734306bde1a1fbfcc96d0f26f9d8d78bf89050a3bbe9
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cd59596c31ef8ad0b85b734306bde1a1fbfcc96d0f26f9d8d78bf89050a3bbe9

Threat Level: Shows suspicious behavior

The file 7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Deletes itself

Checks computer location settings

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer start page

Modifies Internet Explorer settings

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-28 01:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 01:29

Reported

2024-05-28 01:32

Platform

win7-20240508-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C028D092-B175-4252-87CD-E1173D6D736D}\URL = "http://search.heasycouponsaccess.com/s?source=_v1&uid=4da72b99-4190-46aa-9d3a-3a7df5cd8728&uc=20180118&ap=appfocus368&i_id=coupons__1.30&query={searchTerms}" C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000d3c24c39bcc523ad6bbd9c18ca88c0f451ef4045824965553895b28a332b1a6d000000000e80000000020000200000009d3558ae036763550920e0febcf0bcada3081e0534b79abbc930cfacdca15c8a20000000aef704d660a3c1e3bd8fb2ef7c2bbac4827b20608f5ff36a21cb83b3eaa52fa040000000e3cab20196b22547e826593134c6a6cc0fb92a6b373c8eafe694bd05a5cc6d38254f1d3f12115e8b55b0da076de40099e449c0ec99548b5aa6bcf93f49b31da5 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\heasycouponsaccess.com\Total = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C028D092-B175-4252-87CD-E1173D6D736D}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\search.heasycouponsaccess.com\ = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30afe7999eb0da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\heasycouponsaccess.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\search.heasycouponsaccess.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b000000000200000000001066000000010000200000000de1e8e5b33b6d04170972eb68a14fd8a68a06fc307d01d846286926b7f78d44000000000e8000000002000020000000027be796b15ce45d7fff0af1766733a73f6b51b8e4aaad68a0b2440f482b512a90000000be8c0fa2329214c1aa054ea3a8876ce061065a9809b0154eef2b7a2972ae55bb91c48e2f9c11f4f53e706e5760cac35f8ecf786f74dcae5806564efcfc7afee218bb4918bb7301329ac75f47fc9b5c6247b7d742ab2ea9aef0b0be2e5e2a42e112cd1d436f4676b113ea81b898c53a07d647f3454c08d4a346410ea4745b1ff98afe0c0aa65f951864035f6422bd7ae240000000df87994ca836ded9ce79e9894c2c3354d15742ee41db262164b2985f7fdf3ca8af3bf9a3f54aa2171eda11058ad97d3c207232d9807a3654b6f22269aa098535 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C028D092-B175-4252-87CD-E1173D6D736D}\DisplayName = "Search" C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\heasycouponsaccess.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "21" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C17E1521-1C91-11EF-9BF1-5630532AF2EE} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C028D092-B175-4252-87CD-E1173D6D736D} C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423021649" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.heasycouponsaccess.com/?source=_v1&uid=4da72b99-4190-46aa-9d3a-3a7df5cd8728&uc=20180118&ap=appfocus368&i_id=coupons__1.30" C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2096 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2096 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2096 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 2360 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 2360 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 2360 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2348 wrote to memory of 2360 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2096 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 916 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 916 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 916 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 916 wrote to memory of 2480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://search.heasycouponsaccess.com/?source=_v1&uid=4da72b99-4190-46aa-9d3a-3a7df5cd8728&uc=20180118&ap=appfocus368&i_id=coupons__1.30

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c FOR /L %V IN (1,1,10) DO del /F "C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe" >> NUL & PING 1.1.1.1 -n 1 -w 1000 > NUL & IF NOT EXIST "C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe" EXIT

C:\Windows\SysWOW64\PING.EXE

PING 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.heasycouponsaccess.com udp
US 3.222.29.37:80 search.heasycouponsaccess.com tcp
US 3.222.29.37:80 search.heasycouponsaccess.com tcp
US 3.222.29.37:443 search.heasycouponsaccess.com tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
FR 3.162.33.170:80 ocsp.r2m02.amazontrust.com tcp
US 3.222.29.37:443 search.heasycouponsaccess.com tcp
US 3.222.29.37:443 search.heasycouponsaccess.com tcp
US 3.222.29.37:443 search.heasycouponsaccess.com tcp
US 3.222.29.37:443 search.heasycouponsaccess.com tcp
US 8.8.8.8:53 d3ff8olul1r3ot.cloudfront.net udp
US 3.222.29.37:443 search.heasycouponsaccess.com tcp
FR 18.244.38.12:443 d3ff8olul1r3ot.cloudfront.net tcp
FR 18.244.38.12:443 d3ff8olul1r3ot.cloudfront.net tcp
US 8.8.8.8:53 connect.facebook.net udp
GB 163.70.151.21:443 connect.facebook.net tcp
GB 163.70.151.21:443 connect.facebook.net tcp
US 8.8.8.8:53 imp.onesearch.org udp
US 3.208.225.212:443 imp.onesearch.org tcp
US 3.208.225.212:443 imp.onesearch.org tcp
US 8.8.8.8:53 dap2y8k6nefku.cloudfront.net udp
US 18.245.200.149:443 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.149:443 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.149:443 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.149:443 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.149:443 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.149:443 dap2y8k6nefku.cloudfront.net tcp
US 8.8.8.8:53 api.openweathermap.org udp
US 8.8.8.8:53 internal_tiles.tiles.ampfeed.com udp
US 8.8.8.8:53 internal_banner.tiles.ampfeed.com udp
US 209.38.44.97:443 api.openweathermap.org tcp
US 209.38.44.97:443 api.openweathermap.org tcp
BE 104.68.91.91:443 internal_banner.tiles.ampfeed.com tcp
BE 104.68.91.91:443 internal_banner.tiles.ampfeed.com tcp
BE 104.68.91.91:443 internal_banner.tiles.ampfeed.com tcp
BE 104.68.91.91:443 internal_banner.tiles.ampfeed.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 analytics.google.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
FR 172.217.20.162:443 googleads.g.doubleclick.net tcp
FR 172.217.20.162:443 googleads.g.doubleclick.net tcp
US 3.208.225.212:443 imp.onesearch.org tcp
US 3.208.225.212:443 imp.onesearch.org tcp
US 3.208.225.212:443 imp.onesearch.org tcp
US 8.8.8.8:53 imp.mt48.net udp
US 3.208.225.212:443 imp.onesearch.org tcp
US 8.8.8.8:53 cdn.45tu1c0.com udp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
US 8.8.8.8:53 imp.heasycouponsaccess.com udp
BE 64.233.166.155:443 stats.g.doubleclick.net tcp
BE 64.233.166.155:443 stats.g.doubleclick.net tcp
BE 64.233.166.155:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
FR 3.162.33.170:80 ocsp.r2m01.amazontrust.com tcp
FR 3.162.33.170:80 ocsp.r2m01.amazontrust.com tcp
FR 3.162.33.170:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 www.google.co.uk udp
FR 142.250.201.163:443 www.google.co.uk tcp
FR 142.250.201.163:443 www.google.co.uk tcp
US 216.239.36.181:443 analytics.google.com tcp
US 216.239.36.181:443 analytics.google.com tcp
US 8.8.8.8:53 openweathermap.org udp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
FR 216.58.215.36:443 www.google.com tcp
FR 216.58.215.36:443 www.google.com tcp
FR 216.58.215.36:443 www.google.com tcp
FR 216.58.215.36:443 www.google.com tcp
FR 3.162.33.170:80 ocsp.r2m01.amazontrust.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab18E0.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar1950.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e49d656437b1b21687c2ace2ec790d37
SHA1 be498dfe6261dfb624ca33e8f6cf9f2021cd8ed0
SHA256 44f57fbe476450cfdaf9e044d09077fa0edc780c3146bb89d5758b8150b301ec
SHA512 7d418ed6fc7c717e5a46a15820fb4ea78c9da3892dff5c6981138747818a5dd3f8c099e9bb91e65b38f3e6f4ab62100581e733b8fab9c5728c1d77164d0e398e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9ef8159d095313a115b187e1939466a
SHA1 77d7ffd966d527bdbb858f214f335754abd43f2c
SHA256 93285527d0199296a393bff9d1348714de8d322acb481d8c924ce213b0808ff8
SHA512 7e3c5a16a6680eea844edb3264cbbe43760d83afc04e8e9ff12f7b330196f20de554d24a181aecb73c5ac6579e7bbfc350d4b1dca883cf01e327d6ec71411837

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8bde5fbcc6ae6a90594ea49668c9b443
SHA1 0cf9045f060d6205e20b365570ab28548ed7643d
SHA256 2a35dc34e2bdca53c9e6506d1ae820c9fd5f1370121761bc48f236f13cf9f6f3
SHA512 81d8343389e83ffeed917e2f3694ad02bc80c9c6487e527d4f90477eb05fec2466a3880af7937adaa7ab4889c76066743178ab6a9743d824c00934e6322b0f67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 777b0e8fb469bc3271ebe856199b5d3b
SHA1 67498aac208b3e916602dc39a9dfade7166eef3d
SHA256 499263c7c970d093869982152704afb1e5143466fe61d089e76b61e4972bcb5c
SHA512 81eb68c72ccb1b93920d0803c83b0f1dadb5e61f68e62e85f6c00ce1c9aa568319b9808f7691a27897a5c34eb448f6579db2d2a2b364cf912e9a223ae4205b3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5536190b1cc736f694f385e316878044
SHA1 df9281cf748de5e94ba9d71402e3aac27215bd64
SHA256 70053cb4a8ecf99f3e318b4a39e3a41ebb26a77ad41b55be779ede9cd5ecf7c4
SHA512 462d7becddb341ce62f3183faf8d96eda353a92e8d3000f4c0695518937eaed9bb7d9f0dfc75e4a4fa584196f4a54a41e4b866967203a28e1e551d0b2dc524ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 417bf1fc692eac959133d2defb931ed1
SHA1 097fc28117c047c0414d0c5532d2d63496d65948
SHA256 6a82c961a1ae3f0e537678ea244bf041bd3708d817ff5c157bbc05e3eac95114
SHA512 9e51d8a08281e1f14339b5ea80617b6be0e7d1541dcb6ccdce1a03beaa964ffbbdc20575d1ccb2b4dbdf9520e5f5ad2cdddb3db41f092fc137e02f784e41c323

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SVBQZB4R\analytics[1].js

MD5 575b5480531da4d14e7453e2016fe0bc
SHA1 e5c5f3134fe29e60b591c87ea85951f0aea36ee1
SHA256 de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd
SHA512 174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IO0LJX84\js[1].js

MD5 3c9046926802345ad6a7b42a62a59876
SHA1 7deec7e0f0bc31b6882a9306460afa37ec24fed1
SHA256 3c2c5e272017ff6b0d845a6d9b76048e9bc3281e610284c9fe5a2919116fa759
SHA512 7b9acb3f926e63928ff9f03eaaead31dd3166a543cee5284932b5863c01770deee831eb11dba9935aa12c68f9a5f84f51b87f761507d5c182029dec0559ebd05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C

MD5 425df769275d29001dbceb5ff40df90e
SHA1 8b5c6fcbe5cf2b67a8a10803a024d9f094014878
SHA256 a80cb74ff8d88356f419e95508319d4f62f811c031278efb0e08ba43e385d14b
SHA512 1f21d136d995bfa538442b27c0aa949c7cd3e5956ce4802bfc4874cc709cd8bcad4d91f17dd408d7eb022a9e698a091287f1e05dc270a8abf6d5ec39c21e859b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C

MD5 8836806674d69b95b64bc45939dbcd7d
SHA1 c1bf3679d7ae5683524e7cd47182d04fc2706870
SHA256 1b52d3f0248b43f8ce2d4314315454a9b3a0ec71ac2910556dffb497b4ceae8d
SHA512 9444a4b18ee83c817236c939356b521e4d1f94ec502b89b4ceaa7e275dc48ac1d02a376864cba1b30956558998d9cf9c72c1635529c49a18e63ca9868aca4943

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C

MD5 dff9209b048db45fc7595cb17c8445d8
SHA1 d9b24f2e32489117b4b7fdb291a8bc1dc66d0620
SHA256 fcd21edf1221ea44b10d7b0e3de792fc2a4b0fe3f8aea14279dcd88c9fb9c7b7
SHA512 cedb857cf3fd22eb21e815cd65992a8500ba909198a97ac844689e6033e50a91295e5d3292183d4cbdf77c15b088bb060a2479d467a2ceb01d495c0327977ee4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AMSM2PJO.txt

MD5 16e95c5e2e1e729c6720dcab4eb2f442
SHA1 52acccf022d6b37f7cfbe183215447ae142f5c74
SHA256 92b587b0836db2016b9ac34978c4fba8e59c5a4a411ec6450edbd07f42cef652
SHA512 dcf9478d9cdb089ff643d28b575196bcc42130002747846c4562e57a03ece89797251398090fe1169f3f2e409c6b25fce4d21d74884e0a7bb08d0897f7647699

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52G8PVLC\favicon[1].ico

MD5 504432c83a7a355782213f5aa620b13f
SHA1 faba34469d9f116310c066caf098ecf9441147f1
SHA256 df4276e18285a076a1a8060047fbb08e1066db2b9180863ec14a055a0c8e33f1
SHA512 314bb976aea202324fcb2769fdd12711501423170d4c19cd9e45a1d12ccb20e5d288bb19e2d9e8fd876916e799839d0bd51df9955d40a0ca07a2b47c2dbefa9c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\q7my5tn\imagestore.dat

MD5 cb1a68120bf4a36295899a65d199e13d
SHA1 2c1754b0491d11744a0bad67f47a0fc14841b5da
SHA256 002f3abcd6b7c4598c6e91c0e0c3b86dc1b5f58c7bfc6884d78ef2e293d53198
SHA512 0ed04de63d459ab6431c3b26814e75b3054abb4ba51ddcf62caf7e036f85a3c91a40b7a02a14bb166718b3b29b715e59997043ab489e67cff86e1e7672808bd4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5728d4cac7f853dc8da4f3a897a13e6
SHA1 de50a975bf8797ab9fe14d3684949027eec78829
SHA256 0b2ad84b7560fd952e53d957ee2b439566c17917f499a0d8e29f5199e56cbbc5
SHA512 9e1f71189770786bb3604b473522b3c870641191fe367f913daef267e39d8cf8e1f722c3170d722c9de9b5e904937fe7c9b7b6be8d8c3f5883003af1e6fb0099

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5bcfde32682abf11cc5bb759c2ace07
SHA1 f7100b9dd1223e425a74b9459cec666477d33f94
SHA256 9bbe883ebed91da1f685e05f1fc32839ccb5c2575526f0db44fe83588f91f677
SHA512 98ddb24341e27ff07382e99871bd6ef851373ef6c6f601405fd0595cb2f3d1879f9c65e669dbcba999322a4e59ac10bddc6f66a1655d5a0348536fddf6182aa5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5654127545e806c6b3ad15e80ea8b3d
SHA1 d951aaa7574802a837704957f84460e96b1a39d1
SHA256 35cfd6cca8b9e2c7f245fc41172f5ae40ca94444c26316534d2a44e449498aeb
SHA512 9dd63bf0c2691e858e5d5d817072fe38c4ba3e9eb221136bcaab40d42dcd846fa937b38b30b7ec2409e3b5b58866b8dadb7495fb53af72c17788491f6299b07a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a28d2b72b74826a2f2c57039ae8fd41f
SHA1 ac56567bfa80603c161e442481ca51542aa1d662
SHA256 7db2c3c00c81da71262636b5a233ccdcf28218a284b2e8c5613c1f9e981443a7
SHA512 6371912b67eb5ca05d56c2ff17ea13513e9e8479fdfce58b2dbb1599023a1ec19b0d1aceed5f1d474695afe96017a0d77f658db5108cc4cebb82f9ad368d187d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97f814d2918b022f5394578b8f2b04d5
SHA1 a4a9b8d585d67ef501e74fb158fedb127a183dc3
SHA256 27fd09685537a77919ad17e13b6ad3253bbe8e45414b3c00b82ccd4ec0d94bd0
SHA512 c10735985bbd5abc5188dd33ad5428258fd087e549501de1fab7ab0b10a44bb801df28164bd0eb28e37f34f37952aa879301b74629345daff1130df6dad11e3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 673aa62b4a4dde6e31707c359931f17e
SHA1 95f7be6109ea111c10676a73a7a8ecd6a4e5f82f
SHA256 8ca35831346c32fecbd737ba9949a514e7265314dec3ec3f3fdd11fb984fbe88
SHA512 f55cab750922bda88881f0f7a4843675c018d7636024950b8bfb59a1fc53364284824b3ca11972ffec60fbea30f8d504fc90794a2a5cc335ef89921bcfae65c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6822e88bc56fe16faa39035a1ff34c89
SHA1 7da9df1f618ffb311037643572eb5ec8e31b7bd2
SHA256 fac0ff7e6fbc03773a3d77a1a6afb512fd8ce9c8cfa8fdf5d40cd46f805600e2
SHA512 87c2167a0187aedcca913a7cb8303cf4ed1fc2b12273793759e2bf50fc643b3506980928f836227ec6dd9f08ff89396254e6fbc06f238048fc7fbe00de6f464f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2f4cb1630936c8636c3911fa458dca3
SHA1 834806b15f378e99221d7c401c5d956a31d2f9c9
SHA256 aef90f521ae93b4c30a200eebecb4758676bca85322a7d645a12736828e1c8e1
SHA512 435020ae125d3709dd8c2ec50dbc8205a99d6508e31be84d81bd745c20f6c6a2b84014b1de63f3619a5fb3adde3415b4244c6fa08ae539223fddb2e39c0c8f8b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 315e41e1acf7a20edd452b28b1f05c92
SHA1 53a841005d16dc1c36dfe175f13d984a26137a9b
SHA256 fbb8ed323d83bf5785faf9efcf6d5a7a9df6eb83b46017cce9c117f25fb821e2
SHA512 41ae0add6e6ba99acb18ea945fae4afa0c48c17bb75b71d3f2b1dd945e8a06c6510b4decfb1ed11ebd75007d12e0a8c128d95a0d646ae6ba1eb7b660379c6f08

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5e18371dbcaf8f86a5972f3eec76315
SHA1 d745dc843d5a3706e708aa7882d063aafb624cf1
SHA256 2b81fff8f761c385bb877039fa1ab26406fd4f99cbc780a55ffe4cc8887f5e3e
SHA512 c0ba7cc2da7774d55398ee119ac1fa5639db77ab4f02acfaf9b2ec5722ddfb902d1edd8b60e6adae3ba82bbff8a8f9d1c9d085957122e9fcf92dcaa85c7b1e14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6912fea6e2d96bb35f7278ca86d6f2c0
SHA1 e45ca072456a0b11898f87d66f540bb8147cdecc
SHA256 3f5c6d5d48c440c02b2a105593dd50c872eea0fadece5f1799208b9e71a80ad5
SHA512 dc5e88b3509837d666154db510eeaeb9cafa4fa5e4b49d9251a1327361ab06c9112f43a211a14d7666719fdb76d1ba836060d846ad11a89c5193a1c0db8759af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 129950cb200d824f4171d80515ddadcb
SHA1 428946a9ddfc1689aaa0884d7e91b658c49800fc
SHA256 9893172f5d44358dbdf93fabe348d4e31bd4d735e3c438a9a75f1f25605f91b0
SHA512 49e5075c4bb46458ea4d16848189cb1a26d47168ac16c12ceee89582714661e51314083833216b40c826558f07f5dc2bcb1ea908565d1c7a520000fb469f9f6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 defa707885e59874f03286fd90dc0e3f
SHA1 ff1173a48dd2549372cc43d457ead02d1e0ff84a
SHA256 30d54a5e9d900f92e6f26942ef7f27457e76f3aa546bcf0914a86eab52c75801
SHA512 b03266cd9ea92b034c29019513058e726622a6f73da3af226f9b241b28695218b2fe3bd8ba15d20f12fc12acb523756327340a51babfcac9605bef89f4110865

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7295d8dacd004667e5bb43fa358197c3
SHA1 539d5334f7f2b4eabd0cc5ce57023e7f6e456ec4
SHA256 05c74479063e3a72697565973b02f98593e8ebcbf883845add1da1c722e57276
SHA512 40bc8c1d7e2097c9fd2f4fa8f2e3fb8a8fc52a0528e2a50b2cea64ca85d5ee9dda0123c8e6159e82c73fb4002f6d0455d784b6f48f6eb20f855aed5d8a9a3b6c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ec2656f7529b0828ad17dd3ad3271ed5
SHA1 45e0d327b6c4cde8b2e1b2dbe2018c8d38556f91
SHA256 203f9661bae219c4fb1060574f7a7a4b2bf73c57b6c763f45e40a1fa93050794
SHA512 d576f51f00aa197d638aa673c48cbd5b45735de0a51bd0fed91ab95669dba7bce545267f468e9932b3beffa6b57a83b930a284a38d582ce1bc83764b3d65ba57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 84a9613655424247731590dda15e471b
SHA1 ee913caf7fc95e58d378555adb28826efacd76c7
SHA256 864177853d4afeed72202506ce5cd7e98b1586af6a4457e44176f85822efad09
SHA512 bd8725c2a31a250a5711326de7deb9340d787a24f2dd103053a6b03d719715d2cb649e5d1abe861ea41b5de70eb684ba20340ab811ae0ef7c3e3654020f8a2dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7690ed40eb2ac4e9a5b3f4047a40cf1b
SHA1 e95a0ec7d5c3ec2f48bf0ce814dd7d6ca1dcde8d
SHA256 fcd401549ba2643c4c4e135d36b59a3c447ab1200f56784d4367b91b7805e96b
SHA512 ea5f8ca5a743b322f3749db137cb7feaee99d19ff481cdfed79d6f27208eaac7a73dd22ed660eace0786c9e8c5342b0e3e16791d4954e3c0091db1cb4b9b799d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4cff544cfd62e9df2e3a147450f638a0
SHA1 fd222ca0ecc496a343405bdde2196c389525e77b
SHA256 c9da03cfc7b07c06257f4bc4ca97a670bf39d5bbdcb58d00d2386970c5707c64
SHA512 b5ea6a01aa687d785b8babfe2e392fcd5bc978fb078280f6f4b84272caec00a7d16e8b627023afb3431e11d84346a2dbebdc69810dc6e3f15d04a9777a54dca0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c57183bf5c80864426a4c0eb8ec8854e
SHA1 8edf578a276d815bd391e35607022e49f8321f94
SHA256 5ca69d0d04a52932a77d70e3022e320d7e10c0f3ca79a4004cea071d078f3ee9
SHA512 2c08ea5c0896ef00dc591339f5d63878c1cf08bc9f8d02770c6778432cafaafacfabf71946f18abde615d9ba371cf18004d3d4f4d42b167cdec1382fa7389781

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce8110283962105639c005971f01fc2b
SHA1 3191e1fce461e872a8e6a55e5d6a39d501c09dc4
SHA256 b233a03660aa6c5fd77f019c9226c36e42ff8b7405cd3ae3d4ab5a81d2749549
SHA512 135d363c1932d79ac15b176604e923270dfe66d8d6d0629a7d886d1ab5e07dd88aabfbcbe0c5a66bdf3e86205e48d2533a7054d6ef67d185620af09a4f794619

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 01:29

Reported

2024-05-28 01:32

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86584203-C5FD-4C23-8155-BE6C5D4BEB33} C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86584203-C5FD-4C23-8155-BE6C5D4BEB33}\DisplayName = "Search" C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109278" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{86584203-C5FD-4C23-8155-BE6C5D4BEB33}" C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31109278" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86584203-C5FD-4C23-8155-BE6C5D4BEB33}\URL = "http://search.heasycouponsaccess.com/s?source=_v1&uid=4da72b99-4190-46aa-9d3a-3a7df5cd8728&uc=20180118&ap=appfocus368&i_id=coupons__1.30&query={searchTerms}" C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423624759" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2550029109" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{86584203-C5FD-4C23-8155-BE6C5D4BEB33}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C37F5825-1C91-11EF-B826-FEEB313629C0} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31109278" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2550029109" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2552684550" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.heasycouponsaccess.com/?source=_v1&uid=4da72b99-4190-46aa-9d3a-3a7df5cd8728&uc=20180118&ap=appfocus368&i_id=coupons__1.30" C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7b3da13c54f4547886e7d2f6d9f872f5_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1356 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.heasycouponsaccess.com udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 ie.search.yahoo.com udp
IE 212.82.100.137:443 ie.search.yahoo.com tcp
IE 212.82.100.137:443 ie.search.yahoo.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 73.239.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 39f991f6e6aecffbe2db5dcecf1f226f
SHA1 b512ccfff1d83f102d75aa8f78df0c7051bd2df0
SHA256 6911a1c252519f8cb3db2a3eead8863ae288e14c699866b2bc580cfc0f3f42a7
SHA512 3d7954ad14d8361a0f9a5939c0b0290bb42fa32ac2da1a809d3985195347898f4f0b1d0c1e33d87a6d14d61c48fe3258d7820a0bece6723b0f6e18eb60307e71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 340a7d6d61faa4dc707be05545516196
SHA1 ce1ebeee8666d61d125671391d2c306e87eb0f12
SHA256 42eb993ff1bfa0fbde2e8b08a087cb190ec32b66bce6d0a33a02c14aeab45ae5
SHA512 1518e9983574a496eeb3bbdf6fc340b1b6698a7f846d2ebdc516a0d8100e7e3a5305df17fad8e99030a43c9da9cc27970fdc71a79ac33a8bb9575ab554cdd0cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DD719OCW\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee