Malware Analysis Report

2024-11-15 05:36

Sample ID 240603-mmzf6acg42
Target 91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118
SHA256 285d68230b93267b142b14722f2e8cf1bb24e36b2c3d905e89bb6336b7a2110f
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

285d68230b93267b142b14722f2e8cf1bb24e36b2c3d905e89bb6336b7a2110f

Threat Level: Shows suspicious behavior

The file 91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Checks computer location settings

Deletes itself

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer start page

Runs ping.exe

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:35

Reported

2024-06-03 10:38

Platform

win7-20240419-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000009c3d98799394e377c2130331a3e03f1595e82cdeb2d7f9c324f2b55cdf8aa388000000000e8000000002000020000000032dd808e1af56f06d45a1a71cf8b9c84df7b4d320664b67578d4623049c3b739000000006cbf270d07b1b4fde01d408c80516f0c8eba1adb4a27d11eb3a67578930560c1f301da4ab27a77a1d898f2f3e605c66afb043fa6484a9769edaea5e4f85df0139df86824dc99abe8c4ea1c2103e78ceb03eec5103964cf765c3d294ee03550614d4ed814f64db13e6803276ac88e340592742da2ecf99ca7810d6975dbeb5b0800d9dfb97ee4c5914c5e3a268db68b040000000be34f4c1f978b470f14b07a7b65b9715769a1523e02e46b4b1b91baf1e9ae017a931a4b0ba38001a516025fee71ca7a96f30a67f06a3dfaefeee051a9190c6ea C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DC2D2035-0712-45E6-8E61-235E538392B8} C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{04790351-2195-11EF-88AC-F2AB90EC9A26} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DC2D2035-0712-45E6-8E61-235E538392B8}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423572805" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\yourweatherinfonow.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d10000000002000000000010660000000100002000000075c9fae89d8e46b910f94e4586c21e42eee4f164e029b197bce8e93ed2b4cf4f000000000e8000000002000020000000ffaf7db9f664a35f9ddea4d2ea66646bdab2091fc69fe48578f93d5214323d6720000000fbc58931d5814dfd3ad307194b9f847f25f7dce87b3c82f553b5c8ec9fae2e49400000008ca510b7ecb16217599c9f90ded987d63df9d8c0b34f257c5a73b3414447d64a9c6f2a52498b9a436a3b23490c93a2ebcdbbadfa3e3324c3710bf2431af866c5 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DC2D2035-0712-45E6-8E61-235E538392B8}\DisplayName = "Search" C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\{DC2D2035-0712-45E6-8E61-235E538392B8}\URL = "http://search.yourweatherinfonow.com/s?source=-bb8&uid=4da1bcb7-5bf4-4e9f-ba33-3d65aadad747&uc=20180122&ap=AppFocus84&i_id=weather__1.30&query={searchTerms}" C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e2a0daa1b5da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DOMStorage\yourweatherinfonow.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.yourweatherinfonow.com/?source=-bb8&uid=4da1bcb7-5bf4-4e9f-ba33-3d65aadad747&uc=20180122&ap=AppFocus84&i_id=weather__1.30" C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2264 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2264 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2264 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2892 wrote to memory of 2828 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2892 wrote to memory of 2828 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2892 wrote to memory of 2828 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2892 wrote to memory of 2828 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2264 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1112 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1112 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1112 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://search.yourweatherinfonow.com/?source=-bb8&uid=4da1bcb7-5bf4-4e9f-ba33-3d65aadad747&uc=20180122&ap=AppFocus84&i_id=weather__1.30

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c FOR /L %V IN (1,1,10) DO del /F "C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe" >> NUL & PING 1.1.1.1 -n 1 -w 1000 > NUL & IF NOT EXIST "C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe" EXIT

C:\Windows\SysWOW64\PING.EXE

PING 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.yourweatherinfonow.com udp
US 34.234.0.52:80 search.yourweatherinfonow.com tcp
US 34.234.0.52:80 search.yourweatherinfonow.com tcp
US 34.234.0.52:80 search.yourweatherinfonow.com tcp
US 34.234.0.52:80 search.yourweatherinfonow.com tcp
US 34.234.0.52:80 search.yourweatherinfonow.com tcp
US 34.234.0.52:80 search.yourweatherinfonow.com tcp
US 8.8.8.8:53 d3ff8olul1r3ot.cloudfront.net udp
FR 18.244.38.12:443 d3ff8olul1r3ot.cloudfront.net tcp
FR 18.244.38.12:443 d3ff8olul1r3ot.cloudfront.net tcp
US 8.8.8.8:53 connect.facebook.net udp
GB 163.70.151.21:443 connect.facebook.net tcp
GB 163.70.151.21:443 connect.facebook.net tcp
US 8.8.8.8:53 imp.onesearch.org udp
US 8.8.8.8:53 dap2y8k6nefku.cloudfront.net udp
US 54.158.195.25:443 imp.onesearch.org tcp
US 54.158.195.25:443 imp.onesearch.org tcp
US 18.245.200.115:80 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.115:80 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.115:80 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.115:80 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.115:80 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.115:80 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.115:443 dap2y8k6nefku.cloudfront.net tcp
US 18.245.200.115:443 dap2y8k6nefku.cloudfront.net tcp
US 8.8.8.8:53 api.openweathermap.org udp
US 8.8.8.8:53 internal_banner.tiles.ampfeed.com udp
US 8.8.8.8:53 internal_tiles.tiles.ampfeed.com udp
NL 82.196.7.246:443 api.openweathermap.org tcp
NL 82.196.7.246:443 api.openweathermap.org tcp
BE 104.68.91.91:443 internal_tiles.tiles.ampfeed.com tcp
BE 104.68.91.91:443 internal_tiles.tiles.ampfeed.com tcp
BE 104.68.91.91:443 internal_tiles.tiles.ampfeed.com tcp
BE 104.68.91.91:443 internal_tiles.tiles.ampfeed.com tcp
US 8.8.8.8:53 analytics.google.com udp
GB 142.250.187.206:443 analytics.google.com tcp
GB 142.250.187.206:443 analytics.google.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
BE 74.125.71.157:443 stats.g.doubleclick.net tcp
BE 74.125.71.157:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
BE 74.125.71.157:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 54.158.195.25:443 imp.onesearch.org tcp
US 54.158.195.25:443 imp.onesearch.org tcp
US 54.158.195.25:443 imp.onesearch.org tcp
US 8.8.8.8:53 imp.mt48.net udp
US 54.158.195.25:443 imp.onesearch.org tcp
US 8.8.8.8:53 cdn.45tu1c0.com udp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
BE 104.68.83.229:443 cdn.45tu1c0.com tcp
US 8.8.8.8:53 openweathermap.org udp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
DE 148.251.136.139:443 openweathermap.org tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
US 3.165.130.26:80 ocsp.r2m01.amazontrust.com tcp
US 3.165.130.26:80 ocsp.r2m01.amazontrust.com tcp
US 3.165.130.26:80 ocsp.r2m01.amazontrust.com tcp
US 3.165.130.26:80 ocsp.r2m01.amazontrust.com tcp
US 3.165.130.26:80 ocsp.r2m01.amazontrust.com tcp
GB 143.204.67.183:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 imp.yourweatherinfonow.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar7A6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81a347cd8db9d77779852efd7b87cd29
SHA1 d55286772939552673905eb30111d5eaabb98c03
SHA256 c6d2b00306211c7cbe4c385061cfdfc36bf5283ded631d2e913bf454437ef743
SHA512 d5b81bf428408939d7b92b6644b95ae929c23fd88ef9c537b3b5a21c507b0b78c80463be2d9e3498baa7eb377aea3480a8d55958dad9cef82c97a97a92247b82

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e97bf9e090d27a3c4cf19df05413aefc
SHA1 3e8f40535b507e336514d21b6497557b8cac3245
SHA256 01a178085334f7761bdc28350945e5a2c8f374af4e2f64ccae4ff324ecf715ae
SHA512 174243dcb76f6fce1df72dc7e333b025402cbc53c6d9fa75f2ca082f13bbd0ca800f06702964d2bb4077b9d241bafaa0dfa89b61d6e5703ba8c9c3e7785f93d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf3d3a48fc6ada603d01a990d7093cd8
SHA1 99126f70c8e5d929f2e9fa28f89e11032fe5de24
SHA256 f3a19ac1b0314df983e94ecb59346e3a246c5e788fad243dbb9ccfd740edb231
SHA512 77214247a6650e7b60e053738b927330fa41f8164f99bff33eef27ce8ec106be90f89055341d64ef083905310a21c1b2909c129cbbf27e89fabf96d31d839dc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 064d877bec6f569a0bfb61265a5ae461
SHA1 a54be1aa6141ddc0df6ee18136ad0a4e7a37cced
SHA256 daff77b70a88b0dbf7ca3be41035cc1677ecf24abf437b0eb0837e67dfbf173f
SHA512 821f632fac880923aa18b639ff2b2d962f086f9f269807486255a25d38d24920566e91283d9854befed23b5598db945833691a77eea5c6e7a0c5e53440fee126

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5de63281e5c6cf66b81fc7b55bc3609
SHA1 9da58b2c06c4e1664a47fb68f497c3c7246b0b31
SHA256 d5af86395ee83b452ddc40dd4d132c5b15bbc016af991a2f9d20307fb8a3b236
SHA512 c7367789e09740b28b805b6076e86a52470e23a0ec0d309809b8499622d723de6409bbb8cc54d667d88708c3c1f3d8d7af4a779c1467d9e68c1ef291f0642238

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 89c67a9b41cefb9f5ff6d7da7f36197a
SHA1 398760e1946b7ade64a28e2d5a361ec975ca0617
SHA256 51d9853b01d64a15d9616bd9421a7ffbbc00cabe729ef26edfa688933e49a03e
SHA512 adc5052872f5e1a6b6cfd2327767fb5a93c6ec781b009ea3233238ab2b0c2acd49e69bfdbf1307d61bcd9a07862a19b74dcd7092e1f371c8a55eb4ba5cd770ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fffe26b204a9119d0eb654232d3241d
SHA1 44956eb03d565ba031e335dc8ce34aa057562da0
SHA256 5d90d546365ddeb62e776c9e9b36cc92df8a09b69c6f3d2cd5d32fbe17b1012b
SHA512 a3022972109c71b030261a8e4df0f72f8cbacb68a98b3e152115d4bf2ddb462ed5827effcbbd3fd3f26c8be82d40aa17f65264639cc954d41b68135c3065cb99

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OV51DDG5\js[1].js

MD5 52dd8ee667be173e08823678839e1a09
SHA1 f1f2b44f22f6bb60baa210e59166816c86e05ee4
SHA256 956f81c38a290eff47726228a513b8651656b22680788999d6b272fb1739d027
SHA512 559c8808893613de9c0272a6fcfad1f27865535c84096e6b4e0ed364da3710bfd0f40680ce4a7dd2bb9097c6774c50500a37cefb61ed98b3f417edd26ebe39e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fbad293176e919a1357e7a72de9317f
SHA1 1049e6316167daf46c5a692cff13878e3aa5553f
SHA256 390368242bb73c73d3c37e258518b3599cd79165ccd34fba45410cb92778f288
SHA512 3ae34e4471b47dc163e23b27f361c73f27693c03326316446608ef06aca64821cb0df6bd9b313949aab054a92c22c05466e73e14b6a2060a0ea05d467899d6ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c146ac1c05d99cc5ba9214cfbfda227
SHA1 94d1b71d3bf67f617187e57ce5b359510bf8ba05
SHA256 bb2b4f6e651cde0c5a1e203a11e9d0418cb567bd966b94ed3717d5e8f04e18d1
SHA512 2c71b03a30d5720a9902cd09ece885c792a5b7d0342ef93d3cf9f803a08800f89f915b9df0a087364f3607fba01219798d39fab9493d99ecdf4a5e08d8f412b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_434205A76CE72E9356C6165EEA1227C2

MD5 9f2818b6934693c6f8b336938c1b83f7
SHA1 83aba9f7c80313992553f1c40188e09a404ae943
SHA256 1bd3a70b593d33b1bdc4af80560509778580aed3c3a6a81c0085a7e6c41bc37c
SHA512 75651c264caf478f23f6a3abf8989e38de20ed2469cdf03cba38ac92d7e4b4c45e5fe24db57245a7fdfc2f9f61320ee72fdcab498ec614338728c51847516366

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94ed2ac6f1d99ada1c557fc1a0f5031d
SHA1 831d9e2c0ce2ef72e145ae0b203fdeafdf42a881
SHA256 7d5b540897c64c3a81d91ab9401418528e76f0c8417461cde06d3d8757821dd1
SHA512 da78d44218fb7123cfc64b9948b8c75f357a5e6c229624388fa192532a55a401b7f5fdf849363d2fcc081c8e5e921998907c4515bfcf4528f242074166b8ef23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ad525bef25933247af5689ffdf86b44
SHA1 4a926d69c3ec5e6acb4755a73d4c025bf36e9d81
SHA256 17a275edff3e7c6bcb1e556aa599efa4186db650a79ad0c4192a92401346fabd
SHA512 a4268cf87d4cdff32736ce9410073a5d776d48c66474edf03d155c6531f8a7320dc0ca4a10d2ea915c495ce114dc8daf97b3074bd137e71a046480e204da1b92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97a621b9119b5b935c84cee4abe0d06f
SHA1 97179893b7fe3a7364991d013478acd53c6ef2aa
SHA256 ac029529c2d78f90cbb059a3d45bac8d2d0a4486ff8d66016c359a987f5d1c67
SHA512 0c55b3a78af40e0f3ed8b933a471db184cffef575db96a51569d6a4ed623ee9cd9ad0a55baee58112fe076c3fd2d51d90fd3c58cdd588a687c0ee54ad3f5ae1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 520f1825455501f7bec3eb037d4c7ed8
SHA1 3010d5ef61ff711e79dabc47a13be4cdd32e75c5
SHA256 92c3d9f0c0a441bb1f53e1fb71b6bf43ad86263ef258dd870db5fb1d1653138a
SHA512 24fcfc24cdb2663ed1b468b55cf583ec3571bf3f55744b1c03b9a1f92722beb6236800913944fd67d91c06422041b62d861666c07e3d65d59532b9cb3c6dff5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d12e301736a39009039591c71c661957
SHA1 dd9e066fef3b088e1cb8e9ffc1922748fc25d6c3
SHA256 403a91ada6e52c235f96283c2cb93ce9c6ba2859d1c79552ff44731966b702f7
SHA512 9ede59e6b74603a3998d16035f3353af2214827189ec4c0f68e3ae25782f6bdea19f0804b552ce09ca4b75e78a777b940e03a35b7616c6e5d3cc122b02f56ddb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C

MD5 200dbc61227351cfc954950666dd00e4
SHA1 ed54e66991cc596de00688d1b8002151623737dc
SHA256 3270c182410197785a8eb50ad345ce8e909986fe66e8e31f1f1988c030007c7b
SHA512 193cd83cf2c2455e5f20e95445fe1aea8cf8056c7885542645bcaaead5d2af06f534cca842de24fe356472ba0c174abfe5e9c5455a97a50267ad1a6a0e9d5839

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9487BC0D4381A7CDEB9A8CC43F66D27C

MD5 64649413a104a68f24215b1453c0f483
SHA1 812e473c6a3401854b708a7ebdc4783d978f4936
SHA256 f9bfd29e008268f67e214e8cfa7e9e421ec2d46a058fd7d521f064e91b3c38ad
SHA512 fb748a37d9c8ff5070c9df4a5890d612a2be23f3242889d7e423d793a018a8701ec14042aa0d7fe9ac690766dab9a11e2107b9f96dcc38802a5a7ffb67a08c6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b1de363531ed73f9bca90b89461e82e
SHA1 3a71cd99935dbd71d3ad49c6a2543ecae1e8b44a
SHA256 f6d683621bea5bd91f22cd199773dbd6096851681e1780aab5d23247d6f2de35
SHA512 b91d9689993adfd3ecc6b94013921a1f9ea919377b1290040dc5358493c62a950ef7e68b40d4487ab67f8e28a086be5904309f1f598890cc648d6461a79e1e3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6a8ddf86edc7d07765b465219a594c2
SHA1 63a8a7a19ff3a372a4fe3e9483d2077f70559aef
SHA256 810b6c71dd3cd4028a04a7c233f7d69a05aef906222d6fccab1989bece77dd5b
SHA512 e81c845e2efac2cfdd983525f160d576463e6abb9aebfff5d07eaeaa77d359ce016be3a6bd190a43f3726ce66a528bd91462ce005b70cb6d46fcc70d4550f008

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 d365ca571df7951d89a326bbe098f6b7
SHA1 749bf5bc4521bb6a7037150e0d4c60bc450270a3
SHA256 690b6d331029f4d15deb3fa774af97b4113f3af47f4e9357a3bf8e1e3259b96e
SHA512 c8e8de23428f1cca0cd85e368e5e87a90741ddd872e400f445e1e41f6cad923e768bf6e5a4937f338fdd28cd536369ef784cb7acdbd5beb3d5e1abf45e44a7e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 df4f97df4dbe1026d011d94bd4d8b7ec
SHA1 26a3032c0a045c51eb86820b1e873ce7d2f101fb
SHA256 fe4c99dec5d7ac718aa8d8cbaf1f6a445f73713120a04fcdec2439a8c413fc94
SHA512 b88c8a3ec0add3501b943922edd30d399ed683265c8546195257693d7d536350cd0bdba4df2ebbeb3cf5d22ce8b17b01bdf9dd70006b35db9edf0417d0af49a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 7a7afa619c556c29b7ce32666367dc26
SHA1 93fea39fedb7f0c162b1558b2001fc4fff71e614
SHA256 9925227969ae7a7d5b3f39bd2da64c06e9ee57afd1d221574950ba71e34d27bb
SHA512 ab93717c9b0f4170809c2afb05b113e922ca61ac20703d02faed4c99836ce0ca5ab85d69b5b08bf43413ba5f51bb02a661a66ed0bb933fd7c6b3036676c8c419

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 ba3c556c2ca6a7d12b073e0f20f0c601
SHA1 93d5f09bd8d359d140b42d9a71991b7bd9dc7edb
SHA256 db6491caac27dd2e7b12266a3837295906fb68f34d7ce4f77d7675d2a2ef3189
SHA512 5b284e3a69cf1e0d58e7116d89680165b7b550e5b344d094b89aeccde6744eede0d1be0fc138b32b6be19226f927bbd4da1f9958e1c0f65cc9e9de932c2fab13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

MD5 9026ae9efa09a5ac497a98e93d474e08
SHA1 45ed867fa251a685e571a05b6b623192d83f9fbe
SHA256 86227a74910bd2e4dc76b9291ee07cdd3389a549283f20fd47fae5aecfa71aef
SHA512 5f4216eccc203e44eb1b2fd42ee77620a8d04065713b26b0f05e52c1fc40a4f9ff6e68ef92c7f483ec0da9723539ec8c70a54c423ea9330a1bd6bcbcb65b08e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8

MD5 472956be2650c8f8f398d2086ea92e0b
SHA1 81ea6350251531ec55b8a4b56b8c6062b177b5ce
SHA256 617a5bae5d736b8bb30a0aee2b627fd278836486065231b226adf37719454255
SHA512 92bca3f31e2243149433736026e659affdad5f87c8150f1401cf8f03a353ec5ad13b9bf984dc7cc15b2f37821b75e0ad7c68f9a76d4e7c62d6f0b9521333a372

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_B82D647113A63312F289CB1E910A9CB3

MD5 fecbb7b62ae1d31089b4b21ff4de1f37
SHA1 c0a3578591092da9e64b207c01e453fa04f100d9
SHA256 f9c3bd66f9e404a2f04fe249d270e9d3df2b83acc994464520c1329f827c79e9
SHA512 9d10b958bc400063dc3affc740a96ed8e6f15c5c0940d1208dd64da0286a5fcb454b1416a110193985f7ea0c5482bc8e8f23c058f76344965875fd61aa9f6c8f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KRMHFE1W\favicon[1].ico

MD5 504432c83a7a355782213f5aa620b13f
SHA1 faba34469d9f116310c066caf098ecf9441147f1
SHA256 df4276e18285a076a1a8060047fbb08e1066db2b9180863ec14a055a0c8e33f1
SHA512 314bb976aea202324fcb2769fdd12711501423170d4c19cd9e45a1d12ccb20e5d288bb19e2d9e8fd876916e799839d0bd51df9955d40a0ca07a2b47c2dbefa9c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wi962z5\imagestore.dat

MD5 5a4744839f105f8c52372bd1102b663d
SHA1 e4cc0e9e17c3aaf2d110c27112e044acd3af07dc
SHA256 78c6ba6830cb0b6b23c022b6b911f2da20d7fed707130e3e6c22f80f2fa54a11
SHA512 4d201e7e19a44bf640e5c6d65e4e4ea42b224ea3cacbb482079dddca3ae4015c3de929bfd1727ae121f319cade9cfc9f2455b945d3ebf5770189febc0d45de96

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4BNS74GA.txt

MD5 813c08b5fe7b79530ed0790d8fcaac59
SHA1 7848b795df1bf32f8efe5202827c73a6dc8a7f23
SHA256 117f35bdf2004e6704d11e0eda49d7ce9ba4690233718f838e23775c802dcd60
SHA512 78cead8bff5f850600187410d6b3df9a962924e07679fcf652c208d4d00119ea13a65714019c3a4cd0e1dd157bb9baa019c8cd2dcc5402a86ffb0b11d8b043eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 134da68a7f9518ff2cff1fe4909d8805
SHA1 e1e36f88ef9f5a5e42e6ff376a2309847d02ad7b
SHA256 24d41e7ebbc9cf4f345012d0a93d9ce4cf5380a69a4304e32314a3f3677c74c0
SHA512 740c4ec743e58d04d80b0d1a2d9d5a7ed5c3735c694988f4e929bb54c4c9df2e9411865bb0a1b128e83785e8afafdbd0d57b5181cc2e453a7a30ae7bc7ef24cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c82495303d3a82102dcacf3f8d9eccf9
SHA1 2999d1a2c431870638901da8cb69cafdf796cb93
SHA256 2f621665f92d0c63857662d843d190bca8ce9b59de21a1f06a3eab3232b81ba0
SHA512 6fb9e75f68fec486fa5c9ebe849be550548cd4795a1b048ca40e2a666c785609433c7c3da24fa2671e67289b82f30365c6fe8ca305e408f4fd41a63d50d40f8e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fae5cb577a14d0659dd9f28fc942c6bf
SHA1 601140071da55b8e9fc402b3128af28ef3b7273d
SHA256 a030df05941c26dcc001882c718c366aa36339beec3067ea666df12aa7e971f4
SHA512 a8623a883b973030684164dc091f4eb79468fd5675f7c96097e857bf1202547b45507b862800068dcbfcff9ffe9d245fcc59cef28213c9d5ec89a708b4f9a365

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 181964b04df2d8bf62ef2fd3e94479f2
SHA1 7b2442e32703df6d453798a54f2d1c69d13b3360
SHA256 65a4f0c7ace121695fc703c2ac86e8e4f0d51ad6b920a3134bb4f122d7347c1d
SHA512 16434632123cfef0258de2421d32f06c565b19f42fdc769934f2cb9d75445ee8bc7700684da8d15003139c81b23c1ba9779745c8d72e4a44255f3414af0f8a31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61d6305f44f07fba5f765e342ad79a35
SHA1 a0f2e1596d18caf12e161e959d4fd27b54182f1a
SHA256 a22038b540be289d500407a8d3195c7caf938e4a0cdf84dea78cbb4624bdce21
SHA512 b13022ceb5c2a30573500f3898f8dd1785982c67b944b0f60164e526b225db33d1c1e69bcfede63e867e037a7fc539e348dd76d0b37b7c2cd4278f680c23c3bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4bec7dcf82e0b950a5ddbe0e4b573f3
SHA1 64be5781e1e6daff3eaebc592b46eb66bc356a54
SHA256 33a86bc82fa4f5f4e38c49a678580dd79a03c5c99fcd0b6fcc11346116a23fad
SHA512 8e732162b79ce373047a912d33824f60a667adf3d0abc504650b16f49ecd0ae0c88cbdd0c623d365bf545a3bf0a098a2a038bd56e94267e5fab4af58ce080c23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77c2580e3253a913987c15ae66519534
SHA1 24d1710552b3bd41605d6469a601f301bc59d279
SHA256 cdf119beb8e02bce325ac500b11e477dea8d6691cd24321ec7682e665c669c05
SHA512 590095ddb25d0a042d482c02d2c636edd0146c5cbe5c293c3fdf5a21b61dd74fd13b0181eced00c968aec6303a9647d3d43ed557016ff919f3f4fc1c2f015f2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11c3b78746b68d1f91273bcb69f62c9b
SHA1 74ff0d9fdd33ebb75c1778104b407328cd705be7
SHA256 55fb710d9dbce6ae051bc202c8315721bcd4cd6915e075ef5fcbbe1170d9a49b
SHA512 4b000712182e61c58b593b4c8f8665622c6b395fbe8acba02dda618c67470656896826a4077655b85429f77f87c88c1b8fe6de1935eb9c3d3c84277d015d98d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 264c33a0974bf900cfa146f83f6dc49d
SHA1 5f4b8de497d0e57adf026345f1f45878d3e1d648
SHA256 d42326cab73fc457aabdbc4c339624abc68f81178d6bcda16965a2e93424dc21
SHA512 d852e594ec9279255dafcd541e813279b130ae19bfe4a0a53df1ffac115a3323c9f9d4e91969102b7ec78c49477d797bd3936f529f25a357d7acea7db8f214ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c71c271c0634a2b38eb0e9ebff1ba7f3
SHA1 3b9e067b9891843da6dadffd6b64a1f0b418ac08
SHA256 76443060fb81e016eb1007db05862164f35f3bff504c1f7a21437fb3a1f7333d
SHA512 9c19d71a44fe03847eb4be4e0af35555ce711b8618c88491f25ec0a7bf751502455f9778490c343db3269394367f1e5f825cce1b54c268c3864eeba99f893407

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7e43c3a6faae087341539fe8f35af9f
SHA1 1b6437fcc8d36a011d7303780cfdbd4b8d802827
SHA256 c9e49df2f38390758883ec6bc75e77ddc8b38eabb126da640369ea1194e401bc
SHA512 bd917056a0b27e7ffc0ec05b3feef012e08616a6c3c2373617a242d62c61ecba91369ccb9b00e54be03ac147d032b97fd81c0755b5626d2a2342a9cb82ec8e9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 c57a30b60f1e299cf9d8b3fba6a2a700
SHA1 82c1d624ebb61da05427d06d91f11e46058c3e62
SHA256 f38e6e52e733a2bec8c4107ae0fd9253e87fab0f616ec2035d336e87b045de79
SHA512 fe281a51b5a23aa0381e9ac2aeaaef521a3b40fa5116f84df4cb6e1ca7eed8312fa7f2bff4c01b82b681d5e4f1250e93f58638b88c32800b937c4d0939e37e8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d027301422b4da87c6a9b9e947c3d20c
SHA1 36ab1b6ab43e2f3e0e2af72c7f4d64007e70c1ba
SHA256 11ab4fecb753b52251b3e9bbef77fcc7f674932e8625063fa5e09de9fc529796
SHA512 a343a88c4c3910e17b1a81e63a653bf18506b13d18426b664f4f7bc5a51354885e6930ba2597e019033a231792fcd26895ccff6db9d6c19b8f197fedd2eb816e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 072aef7875148f192de8c272b5bcbcb9
SHA1 7272daaaf596d4d162e4204354305663b52e7b35
SHA256 e58b0bc00c95c55280f4d351b397e3d9d35b601958213eb4c918b6e5bd0064b2
SHA512 7edeae85ea362dce8b89d9314273f35dbb1e435d0086cfef6acc6d00fafa8f8612216022e9eb0118d9ab17ec4e0162755933d2ce19db07694a31d96091b79cc7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cb8cd9074d4de92521c38ae0cc0a489
SHA1 c325edba9bcf8c79d3fb79b8527f2798c882b49a
SHA256 9d014f27c0bab6bac96b9df804c155a20e4ad46f14f415ff8e646af855a03b18
SHA512 25ea79e284bd3570fb219e1604e07661b530db98857777afa4b896d2492a7eca295337bc3a7bc3feb3abd6bd38eaeca6af0df78bd1c7ac84fe5a45c0fe08072e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 106fde95ce68dbc1df5c514b8b099376
SHA1 7e11668693039059d29b7a7eade99ce7ca44331d
SHA256 fac3db9a36deb1b92a5a1d04a2167245f9ac07ef8f3b521f6bfb3228b84b96d8
SHA512 4adcb2dc635c0f972ff6ddbbcf6113fdab7736e74ce3191ff452d320dc0ab0553e30f669d824a2f63b09361144e5d5628e6ecc6b1798ab6298740fda55c1068b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c41fc07c696c96bc6cbc0900d375d126
SHA1 619ee0ad76cd85c70864d6a679096b3757cf3623
SHA256 d9203943c9f9b0a907309c42d7943009999862a38a5df55e549d90c53b9a675b
SHA512 705418b9551e82a809071d18edb457e16b215a52d242c2daefc0842f6bbaa791f71f488b6777b0007b3ae8023f9a1d5a20c9175906cb1634db97bcb64096b1cb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 45f531df1def0832ccc8f2500b5c7d9f
SHA1 21af8edf0a5345e818142804d76d07ea2186d328
SHA256 2f1df8328d7187cb5bb8afa519d28f013082ac258f78b6283a6870c7f06e91ec
SHA512 f21ca6ad9b6f6c158771f2f9826f38b946690455aa1c86b83709767c8709c85f969493649099232330554c5d49d3a81aa4cc968ccb21f8d2982d7bc6851ce946

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e29005f51cf57e7d95692afdfabb09d7
SHA1 03bd569a97c041c3738d9977d11ad3c621ae3276
SHA256 88a35eb227c0abd0c4a15d12d740306a77fa6bd5a294e0f61249f1e72a8c41d5
SHA512 45a685dae687ec805e8d4a4da3134dd18f25bb42ab019e1faa93e6ee2c5e072adf01c102568fc31ab023cb1891d2d7e00283f561afd7b6a4a6c63e4548bd4e4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d4c18b2a5ce10f88c789b810e1b5d93
SHA1 02d8a8f827f844cf7d26feaf5016385963913cc5
SHA256 c4924dde15cd53d7c58500c2ca84ff38ce6d975265cf4954c8345ceb35a598ef
SHA512 f169e6542bbef639dac9a7d110da221a8eaae49af3e476c1c3fd599823c10d02d597082bb448ed0c35093fca748dfdd6904ebc5c807bca24af9e6f4d3f3eda0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d33bda93d1f34059ba5a30831a501ec1
SHA1 f7c330f6ebb544d5f93dd849bde5999cb3cd855a
SHA256 7371850e4bd63471abfdc4ecd4f63b186b75dc4b1c290793bae72a52f8f02c7f
SHA512 d03292c67dabdd2393a9396064ad6511ad5ef41dbe5899a8eb9394aa62539731966d37cabae6bba91eeb4ed334bd8f14dc713e32751c2b7ee4f2e4e262d8e77c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 405d9f521023659a3e62abfb7ffa8172
SHA1 3639a94573289ea6457695b8f2d3ec7477ac8ce0
SHA256 a1f9926e4fd2ca995fd165b9abf692802205651c9670b76a14a19f577e3762b5
SHA512 4cb7a42de32ccc8a4e1e8f9e4331795d713325b9197c6dc72eac550bf61b4831bf07eb999c820c3f8d557bc203da14f5fb4e89448a654935884b21243b3e3d05

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:35

Reported

2024-06-03 10:38

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{20E70523-9E27-4124-A144-90ED882F0163}\DisplayName = "Search" C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\ C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3666012726" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3663981121" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{20E70523-9E27-4124-A144-90ED882F0163}\SuggestionsURL = "https://ie.search.yahoo.com/os?appid=ie8&command={searchTerms}" C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31110561" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424175915" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31110561" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{20E70523-9E27-4124-A144-90ED882F0163} C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{20E70523-9E27-4124-A144-90ED882F0163}\URL = "http://search.yourweatherinfonow.com/s?source=-bb8&uid=4da1bcb7-5bf4-4e9f-ba33-3d65aadad747&uc=20180122&ap=AppFocus84&i_id=weather__1.30&query={searchTerms}" C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{20E70523-9E27-4124-A144-90ED882F0163}" C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{05FCC133-2195-11EF-9519-EABD73F69B33} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3663981121" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31110561" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.yourweatherinfonow.com/?source=-bb8&uid=4da1bcb7-5bf4-4e9f-ba33-3d65aadad747&uc=20180122&ap=AppFocus84&i_id=weather__1.30" C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\91772792a8ab79fdadfa8ed86eabe6b4_JaffaCakes118.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -noframemerging

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4364 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.yourweatherinfonow.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ie.search.yahoo.com udp
IE 212.82.100.137:443 ie.search.yahoo.com tcp
IE 212.82.100.137:443 ie.search.yahoo.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 137.100.82.212.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 e7ed3dfdfc81ed8e5a7156e46a067388
SHA1 7f3c13860a43dc2ba075379341eee9fa4bc70079
SHA256 41e05814fbfd259731f667d36ddcc1aeaa0bd59546a514ea03a90f681004b6d7
SHA512 14d4d01a6fc15476d91a30a8d0698bef051c6b435eaa038216d696036b5c861ad2207695d885e5e8fd5fbe2738756845612082926785a25389067c79ce040465

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 37c578d1c8a646024b5655ba5d0c8332
SHA1 9680961850fbe76d8912aea539f520779cf19f66
SHA256 0d728350c2dc3a8fe14ecf9ca310efc8bfce95e57e90e22c89ce8a7c8ed4a42c
SHA512 9fc2f572fa0122c3569fe7c60fa7d0c1fa53dfc5362adcf9ddc1906b77b5fb2897070fcad807f7e5faac16c9c4f2aa8950a80bbb2a3264be0575fa8fab6dfa4f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VLW1SL5J\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee