Malware Analysis Report

2025-01-18 21:53

Sample ID 240622-d8f29szfjj
Target 011aa6f751053818a40db8da655faa94_JaffaCakes118
SHA256 889bdabecf6d2f256d4fa3e4b54ad83781be6e10ede4114af8efcad193da0625
Tags
adware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

889bdabecf6d2f256d4fa3e4b54ad83781be6e10ede4114af8efcad193da0625

Threat Level: Shows suspicious behavior

The file 011aa6f751053818a40db8da655faa94_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware stealer

Checks BIOS information in registry

Loads dropped DLL

Maps connected drives based on registry

Installs/modifies Browser Helper Object

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 03:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 03:40

Reported

2024-06-22 03:43

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wsock32.sys C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\TfoQb2h892.ini C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\TfoQb2h892.ini C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PCGWIN32.LI4 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50e17a0256c4da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425189523" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a2300000000020000000000106600000001000020000000dc85252293f431cb36abd36682eddb02ccec2cef313e8410e78b15561d9c5397000000000e80000000020000200000004a2882e3ed7f293900195c15c317130929d2b8baa08f0c1d3f208f7db1cd0bcc90000000fa55def5cf3366d5a330b99c5ad4fc045aa15a9c494bd6815899089feea9e7d2c68d8b53db6f66afc66c8bc5094ce8515dfa458a97a2ebe77b3e5e3c73f2de654fc53fd532b133d9befa14de8e4473b3d2694bf0c86450ed1fbb8f4938b62ee704c0d391b3a30ccda7155e48f59c7c53ffb3f801c9ed2cd48dd92326e5fbf2dc2db8ad3b616bfd434829cd575b8d09fe40000000096c40a3d415cd7e5f3d917c9038f126b373a0d11a4f2da6c8409f5ee5aa2cc2674c4a993347787669ac81f78e943dccde6584f4a0b6ec0674f4bb401ffe6f1a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000022ebbf9b705ac99c8cade0f335179087b33445df80305b0ed1cf94092e81fcfe000000000e800000000200002000000002e6df6c4a62ebad1f8b9ca77d8211396cef4af3f028c66c33b520ba38e140cd2000000019c401065553c9972f506c9ea41da66a70c8a238b8c3f148c8def136973cfc1840000000719d4287656022637a64ec27f42c7f39d45af13a33d79756824ac2eddebfef8db384b0e48dd34bdab175c519fec8c53210d0c45e818a2ed4c024404a67c76afa C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2DBBE851-3049-11EF-B27D-6A387CD8C53E} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\{1495FE7A-6C0B2EF6-509DD892-F8A01022} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}\ = "3557717703" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid\ = "{E14DCE67-8FB7-4721-8149-179BAA4D792C}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{1495FE7A-6C0B2EF6-509DD892-F8A01022}\ = 3cea9b9b4ccbf9c3296b1a7ccbe99be10c415b36cce1e5ea2d23a6a470de9b08cc7bfbd4ab717be2ec6d04a65f9fb7f75f6f8818ffcbe8e49acf4ad828f7ace085a76e0018f8b12ce1d929361ae0b514eeb306db3fcce8b9bcd129f57e6d963a702d5f06c8c1649eaf37f8df1637cf9027c8b0f9516af24322cc13d9b44ade3b76142ffc78682c630784600c3999d68941e5b992edc2e5fc9daa4a1ac3352b1e64b7af5f7848aa671a708b555b4e8c79f92eea46e301446e024753c004eb2f1c588930061f2f086781202177ca103c4c95453e0229b3e6a3ffeb1744b00120d1dbb54b6de426fcbfd6577040d3693366145fb308147dff56173f40a8bb8194a27d626add9cc948197b72949b038cec3926d19ff5772da086cd0025692e7ac72dffa6575ef049d442301d934a3c1deb3603117cb2695a22b5836d9cbab52dde65b66e500737605055c1c2d2eb3264936d03fa34ebd31cf3746bafdce7f650d00b80c31ba34c73d96c897bfd6c552542ae7d87eacf428775ef62f8c357a340d4e141aa254222436344644f4338c4518c4e99198e49d97ecae9fbe1ab4d1b460cef1b878c6f18780d6ffa38aa5025334e24d9ddf2b6d35e7c37e9a0c6ac1ee4c94f39d86a4d7de66a31dbe9b321a3d6eb019bfdb429a1bace2cf945d6a27f3c1c2c55878fc5093f51dedb262388d085c87ed9abf460f6b47307c7645b3270188870d20e7d1f9ae891bb1e796c12ac188700 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\ = "N" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ = "C:\\Windows\\SysWow64\\wsock32.sys" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{1495FE7A-6C0B2EF6-509DD892-F8A01022}\ = 3cea9b9b4ccbf9c3296b1a7ccbe99be10c415b36cce1e5ea2d23a6a470de9b08cc7bfbd4ab717be2ec6d04a65f9fb7f75f6f8818ffcbe8e4ce23b7492ff7ace085a76e0018f8b12ce1d929361ae0b514eeb306db3fcce8b9bcd129f57e6d963a702d5f06c8c1649eaf37f8df1637cf9027c8b0f9516af24322cc13d9b44ade3b76142ffc78682c630784600c3999d68941e5b992edc2e5fc9daa4a1ac3352b1e64b7af5f7848aa671a708b555b4e8c79f92eea46e301446e024753c004eb2f1c588930061f2f086781202177ca103c4c95453e0229b3e6a3ffeb1744b00120d1dbb54b6de426fcbfd6577040d3693366145fb308147dff56173f40a8bb8194a27d626add9cc948197b72949b038cec3926d19ff5772da086cd0025692e7ac72dffa6575ef049d442301d934a3c1deb3603117cb2695a22b5836d9cbab52dde65b66e500737605055c1c2d2eb3264936d03fa34ebd31cf3746bafdce7f650d00b80c31ba34c73d96c897bfd6c552542ae7d87eacf428775ef62f8c357a340d4e141aa254222436344644f4338c4518c4e99198e49d97ecae9fbe1ab4d1b460cef1b878c6f18780d6ffa38aa5025334e24d9ddf2b6d35e7c37e9a0c6ac1ee4c94f39d86a4d7de66a31dbe9b321a3d6eb019bfdb429a1bace2cf945d6a27f3c1c2c55878fc5093f51dedb262388d085c87ed9abf460f6b47307c7645b3270188870d20e7d1f9ae891bb1e796c120520de17 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{1495FE7A-6C0B2EF6-509DD892-F8A01022}\ = 3cea9b9b4ccbf9c3296b1a7ccbe99be10c415b36cce1e5ea2d23a6a470de9b08cc7bfbd4ab717be2ec6d04a65f9fb7f75f6f8818ffcbe8e49acf4ad828f7ace042d160d418f8b12ce1d929361ae0b514eeb306db3fcce8b9bcd129f57e6d963a702d5f06c8c1649eaf37f8df1637cf9027c8b0f9516af24322cc13d9b44ade3b76142ffc78682c630784600c3999d68941e5b992edc2e5fc9daa4a1ac3352b1e64b7af5f7848aa671a708b555b4e8c79f92eea46e301446e024753c004eb2f1c588930061f2f086781202177ca103c4c95453e0229b3e6a3ffeb1744b00120d1dbb54b6de426fcbfd6577040d3693366145fb308147dff56173f40a8bb8194a27d626add9cc948197b72949b038cec3926d19ff5772da086cd0025692e7ac72dffa6575ef049d442301d934a3c1deb3603117cb2695a22b5836d9cbab52dde65b66e500737605055c1c2d2eb3264936d03fa34ebd31cf3746bafdce7f650d00b80c31ba34c73d96c897bfd6c552542ae7d87eacf428775ef62f8c357a340d4e141aa254222436344644f4338c4518c4e99198e49d97ecae9fbe1ab4d1b460cef1b878c6f18780d6ffa38aa5025334e24d9ddf2b6d35e7c37e9a0c6ac1ee4c94f39d86a4d7de66a31dbe9b321a3d6eb019bfdb429a1bace2cf945d6a27f3c1c2c55878fc5093f51dedb262388d085c87ed9abf460f6b47307c7645b3270188870d20e7d1f9ae891bb1e796c1225c53714 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION\ = "3.0" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR\ = "C:\\Windows\\system32" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32\ = "C:\\Windows\\SysWow64\\wsock32.sys" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe C:\Program Files (x86)\internet explorer\iexplore.exe
PID 2848 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe C:\Program Files (x86)\internet explorer\iexplore.exe
PID 2848 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe C:\Program Files (x86)\internet explorer\iexplore.exe
PID 2848 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe C:\Program Files (x86)\internet explorer\iexplore.exe
PID 2356 wrote to memory of 2060 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2060 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2060 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2356 wrote to memory of 2060 N/A C:\Program Files (x86)\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2060 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe"

C:\Program Files (x86)\internet explorer\iexplore.exe

"C:\Program Files (x86)\internet explorer\iexplore.exe" http://

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2060 CREDAT:275457 /prefetch:2

Network

Files

memory/2848-0-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\PCGWIN32.LI4

MD5 01e295547803c9ab4628ead4b8824635
SHA1 0d9e3d00e53c0ca7bb38448331deae17b2e82479
SHA256 f5026b16c10e784bace645e68c5202f6c6bfc9acd81b1f91fb5c3342d2f5b3bf
SHA512 9144aeda148763e2ca2813495f76523189e28b665213ca82c2b6f14ad4c3a07e38df8338f5eaf96d8f9b5d2210a2c5cf19cee0ff136a5787a52f22a59b63b9b3

\Windows\SysWOW64\wsock32.sys

MD5 e542cc1875d57544eb2382faf41573b1
SHA1 e23d5915349d5772f23180dfa2c2cac2c0b8d14e
SHA256 0a907a6bb00f24dffa890786c2b0ac06bfb09a9bd79294c1181957108ba828ac
SHA512 5c59a3532e6fe273e954a5161cc095be463377426cb4c6f948d566f833ba7558b437742fa5ee261f7dd31c611ce2bc8092df6ad04f1dc50ed4d0118c75f59468

memory/2848-19-0x0000000000400000-0x0000000000441000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 03:40

Reported

2024-06-22 03:43

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe"

Signatures

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wsock32.sys C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\TfoQb2h892.ini C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
File created C:\Windows\SysWOW64\TfoQb2h892.ini C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\PCGWIN32.LI4 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114326" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425792608" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50d74c0356c4da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "46150212" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006633b135c95c54191e4d28dd78c83740000000002000000000010660000000100002000000048a93e0ea6cd91bb906541b3e4d8003772358669f7167e38e40b0b6ed5beb5ab000000000e800000000200002000000091f8ab78dbeb82ef3e5afa20f833bbec4b0c898c8da8977a0518e392d2c3755420000000c14a1fc361c9acc90fe5b359cf6da92fabaa68c06a68d50befbc741a4a8660cf40000000d081f39df9f9068099598977929f5e381300a6eced1c26309c971ca678bb2bb88d3ab6ba3552574c8d59bbcd7caafd087b930c5c8d76d3aa2947314e18174a18 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114326" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000006633b135c95c54191e4d28dd78c837400000000020000000000106600000001000020000000152f2565ae60d751f828b6df8e2012263aa7e36374b9dcc6cce544684ebf5178000000000e8000000002000020000000e329415c3bf2f5549fc3888011a817e1051956275bca49cfd45403392e7ba08b20000000fd3c992bd440890226f74d6cac3c9f5654cf34965d798651890c954bca250fbc400000003b9d35c0bdad9bbd730d39c8ed3d5abba1371bc8716f26955c5f1b6fdf9f0f9e1a71cf6edb057de5e1e336865a5990009463c69e26c6db87649de10a15095072 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31114326" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "44743784" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2E4858B6-3049-11EF-A084-EABD73F69B33} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31114326" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "44743784" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "46150212" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50664a0356c4da01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR\ = "C:\\Windows\\system32" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION\ = "3.0" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\{D50DBC70-EDF2330C-38FF8F7C}\ = "3632131847" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{1495FE7A-6C0B2EF6-509DD892-F8A01022}\ = 3cea9b9b4ccbf9c3296b1a7ccbe99be10c415b36cce1e5ea2d23a6a470de9b08cc7bfbd4ab717be2ec6d04a65f9fb7f75f6f8818ffcbe8e49acf4ad828f7ace0824813d818f8b12ce1d929361ae0b514eeb306db3fcce8b9bcd129f57e6d963a702d5f06c8c1649eaf37f8df1637cf9027c8b0f9516af24322cc13d9b44ade3b76142ffc78682c630784600c3999d68941e5b992edc2e5fc9daa4a1ac3352b1e64b7af5f7848aa671a708b555b4e8c79f92eea46e301446e024753c004eb2f1c588930061f2f086781202177ca103c4c95453e0229b3e6a3ffeb1744b00120d1dbb54b6de426fcbfd6577040d3693366145fb308147dff56173f40a8bb8194a27d626add9cc948197b72949b038cec3926d19ff5772da086cd0025692e7ac72dffa6575ef049d442301d934a3c1deb3603117cb2695a22b5836d9cbab52dde65b66e500737605055c1c2d2eb3264936d03fa34ebd31cf3746bafdce7f650d00b80c31ba34c73d96c897bfd6c552542ae7d87eacf428775ef62f8c357a340d4e141aa254222436344644f4338c4518c4e99198e49d97ecae9fbe1ab4d1b460cef1b878c6f18780d6ffa38aa5025334e24d9ddf2b6d35e7c37e9a0c6ac1ee4c94f39d86a4d7de66a31dbe9b321a3d6eb019bfdb429a1bace2cf945d6a25773a42c55878fc5093f51dedb262388d085c87ed9abf460f6b47307c7645b3270188870d20e7d1f9ae891bb1e796c121aa5d219 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ = "C:\\Windows\\SysWow64\\wsock32.sys" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{1495FE7A-6C0B2EF6-509DD892-F8A01022}\ = 3cea9b9b4ccbf9c3296b1a7ccbe99be10c415b36cce1e5ea2d23a6a470de9b08cc7bfbd4ab717be2ec6d04a65f9fb7f75f6f8818ffcbe8e4ce23b7492ff7ace085a76e0018f8b12ce1d929361ae0b514eeb306db3fcce8b9bcd129f57e6d963a702d5f06c8c1649eaf37f8df1637cf9027c8b0f9516af24322cc13d9b44ade3b76142ffc78682c630784600c3999d68941e5b992edc2e5fc9daa4a1ac3352b1e64b7af5f7848aa671a708b555b4e8c79f92eea46e301446e024753c004eb2f1c588930061f2f086781202177ca103c4c95453e0229b3e6a3ffeb1744b00120d1dbb54b6de426fcbfd6577040d3693366145fb308147dff56173f40a8bb8194a27d626add9cc948197b72949b038cec3926d19ff5772da086cd0025692e7ac72dffa6575ef049d442301d934a3c1deb3603117cb2695a22b5836d9cbab52dde65b66e500737605055c1c2d2eb3264936d03fa34ebd31cf3746bafdce7f650d00b80c31ba34c73d96c897bfd6c552542ae7d87eacf428775ef62f8c357a340d4e141aa254222436344644f4338c4518c4e99198e49d97ecae9fbe1ab4d1b460cef1b878c6f18780d6ffa38aa5025334e24d9ddf2b6d35e7c37e9a0c6ac1ee4c94f39d86a4d7de66a31dbe9b321a3d6eb019bfdb429a1bace2cf945d6a25773a42c55878fc5093f51dedb262388d085c87ed9abf460f6b47307c7645b3270188870d20e7d1f9ae891bb1e796c1205a0ac16 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32\ = "C:\\Windows\\SysWow64\\wsock32.sys" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid\ = "{E14DCE67-8FB7-4721-8149-179BAA4D792C}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\{1495FE7A-6C0B2EF6-509DD892-F8A01022} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\ = "N" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\{1495FE7A-6C0B2EF6-509DD892-F8A01022}\ = 3cea9b9b4ccbf9c3296b1a7ccbe99be10c415b36cce1e5ea2d23a6a470de9b08cc7bfbd4ab717be2ec6d04a65f9fb7f75f6f8818ffcbe8e49acf4ad828f7ace085a76e0018f8b12ce1d929361ae0b514eeb306db3fcce8b9bcd129f57e6d963a702d5f06c8c1649eaf37f8df1637cf9027c8b0f9516af24322cc13d9b44ade3b76142ffc78682c630784600c3999d68941e5b992edc2e5fc9daa4a1ac3352b1e64b7af5f7848aa671a708b555b4e8c79f92eea46e301446e024753c004eb2f1c588930061f2f086781202177ca103c4c95453e0229b3e6a3ffeb1744b00120d1dbb54b6de426fcbfd6577040d3693366145fb308147dff56173f40a8bb8194a27d626add9cc948197b72949b038cec3926d19ff5772da086cd0025692e7ac72dffa6575ef049d442301d934a3c1deb3603117cb2695a22b5836d9cbab52dde65b66e500737605055c1c2d2eb3264936d03fa34ebd31cf3746bafdce7f650d00b80c31ba34c73d96c897bfd6c552542ae7d87eacf428775ef62f8c357a340d4e141aa254222436344644f4338c4518c4e99198e49d97ecae9fbe1ab4d1b460cef1b878c6f18780d6ffa38aa5025334e24d9ddf2b6d35e7c37e9a0c6ac1ee4c94f39d86a4d7de66a31dbe9b321a3d6eb019bfdb429a1bace2cf945d6a25773a42c55878fc5093f51dedb262388d085c87ed9abf460f6b47307c7645b3270188870d20e7d1f9ae891bb1e796c12ac989108 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C} C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\ = "N.Cs4" C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0 C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\011aa6f751053818a40db8da655faa94_JaffaCakes118.exe"

C:\Program Files (x86)\internet explorer\iexplore.exe

"C:\Program Files (x86)\internet explorer\iexplore.exe" http://

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:452 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2944-0-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Windows\SysWOW64\wsock32.sys

MD5 e542cc1875d57544eb2382faf41573b1
SHA1 e23d5915349d5772f23180dfa2c2cac2c0b8d14e
SHA256 0a907a6bb00f24dffa890786c2b0ac06bfb09a9bd79294c1181957108ba828ac
SHA512 5c59a3532e6fe273e954a5161cc095be463377426cb4c6f948d566f833ba7558b437742fa5ee261f7dd31c611ce2bc8092df6ad04f1dc50ed4d0118c75f59468

memory/2944-20-0x0000000000400000-0x0000000000441000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 3e69b4f7d8b24e6c9606a99dcceb1477
SHA1 fa51b22048b9881fa9d589edabd597098c6ce426
SHA256 a8616afc4ac83452b293faeb861b299486ed4a881c4a0d9856fb55c877354db5
SHA512 6ec308d1d1ef5c5dce11d34ecebe0fc28f27154a7fa376529f5c315ddc63e0bd211cfd1ad42f6c2ab3a3d6da5b85ea004e20d7621430de45220c1df9055b550e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 4491a29d8a5056ec9424d7e04c9825fe
SHA1 3b8b4933eca2076454e0b28582816b1065e04d06
SHA256 437a44bb633841468ab327c9289e435e83429acd13a34d4c17efc1424ea84880
SHA512 d798c6e08aea69cbf4849f8a1a7494b838647b9907afd9ff62de0b5bace8be9ceb975e63b3d02882d4671fbc443de98e7da162ee46288dfac222bc18f16fa77c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC9F7.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\AKI8W8FH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee