5c2a85fb56de2e0a1a1d260ef2177e0209477586c8a6740494bbaf40a9785f47

Resubmissions

25-04-2024 04:47

240425-fezzdsfg4z 8

25-04-2024 04:44

25-04-2024 04:30

25-04-2024 04:26

25-04-2024 04:23

Analysis

max time kernel
187s
max time network
173s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 04:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SpySheriff.exe
Size

403KB
MD5

c899f93e8b753fedd068ef3fe2edb0fd
SHA1

144b1f18d0e307d14937c21ca1d7cbfc91828a10
SHA256

5c2a85fb56de2e0a1a1d260ef2177e0209477586c8a6740494bbaf40a9785f47
SHA512

1aceacb4eba0815322dd3fcd273d8703408362eee3b2d2b5981d2abbe4c2b02852608f46b2e7ce46a50e921871d445c239014b5957c6ba0606bd0334ce7bd41b
SSDEEP

12288:eBMDMf+ztV53y2k9I68iXDycz+rYIYsVRSHsDr:eS4S53h68eIZjD

Score

8^/10

discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1021.001

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SpySheriff.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SpySheriff.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SpySheriff.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation	SpySheriff.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SpySheriff.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\SpySheriff = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SpySheriff.exe"	SpySheriff.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SpySheriff.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SpySheriff.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SpySheriff.exe

Maps connected drives based on registry 3 TTPs 5 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SpySheriff.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\NextInstance	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	SpySheriff.exe
Key value enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\Count	SpySheriff.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SpySheriff.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	SpySheriff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SpySheriff.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SpySheriff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	SpySheriff.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	SpySheriff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	SpySheriff.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	SpySheriff.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SpySheriff.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data	SpySheriff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Component Information	SpySheriff.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data	SpySheriff.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	SpySheriff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	SpySheriff.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMinorRelease	SpySheriff.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	SpySheriff.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	SpySheriff.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	SpySheriff.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	SpySheriff.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Identifier	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Component Information	SpySheriff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SpySheriff.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	SpySheriff.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	SpySheriff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	SpySheriff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier	SpySheriff.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	SpySheriff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information	SpySheriff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	SpySheriff.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Configuration Data	SpySheriff.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	SpySheriff.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data	SpySheriff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	SpySheriff.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	SpySheriff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Component Information	SpySheriff.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	SpySheriff.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a02a15a2c996da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000024852b0177ebf78d39f648da42c774e8d2012671553dcc3c8b2ef6f89efd5ba000000000e80000000020000200000009fd0e23b47a2b6f2d00fbe51a8ea2d24a74b24f5a3e7282a271047ee176f21fe20000000cbdf6694348b623fd9734adbd6f0773844ae80b8c6471f7d0cbb4c5327714660400000009dda25729e3c03469407b7f38dd16f55e773b136624cdc148952051e4d68cca5a1be239e8832703a5466ab76f063b0960b12c52ad2c7082d134469dac6610598	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D1812641-02BC-11EF-A296-4A24C526E2E4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies registry class 3 IoCs

Processes:

SpySheriff.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	SpySheriff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	SpySheriff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	SpySheriff.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

SpySheriff.exe

pid process

2904 SpySheriff.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

SpySheriff.exe

pid	process
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

SpySheriff.exe

pid	process
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe
2904	SpySheriff.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	process
1592	iexplore.exe
1592	iexplore.exe
2644	IEXPLORE.EXE
2644	IEXPLORE.EXE
2144	iexplore.exe
2144	iexplore.exe
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1148	iexplore.exe
1148	iexplore.exe
964	IEXPLORE.EXE
964	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

SpySheriff.exeiexplore.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 2904 wrote to memory of 1592	2904	SpySheriff.exe	iexplore.exe
PID 2904 wrote to memory of 1592	2904	SpySheriff.exe	iexplore.exe
PID 2904 wrote to memory of 1592	2904	SpySheriff.exe	iexplore.exe
PID 2904 wrote to memory of 1592	2904	SpySheriff.exe	iexplore.exe
PID 1592 wrote to memory of 2644	1592	iexplore.exe	IEXPLORE.EXE
PID 1592 wrote to memory of 2644	1592	iexplore.exe	IEXPLORE.EXE
PID 1592 wrote to memory of 2644	1592	iexplore.exe	IEXPLORE.EXE
PID 1592 wrote to memory of 2644	1592	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 2144	2904	SpySheriff.exe	iexplore.exe
PID 2904 wrote to memory of 2144	2904	SpySheriff.exe	iexplore.exe
PID 2904 wrote to memory of 2144	2904	SpySheriff.exe	iexplore.exe
PID 2904 wrote to memory of 2144	2904	SpySheriff.exe	iexplore.exe
PID 2144 wrote to memory of 1092	2144	iexplore.exe	IEXPLORE.EXE
PID 2144 wrote to memory of 1092	2144	iexplore.exe	IEXPLORE.EXE
PID 2144 wrote to memory of 1092	2144	iexplore.exe	IEXPLORE.EXE
PID 2144 wrote to memory of 1092	2144	iexplore.exe	IEXPLORE.EXE
PID 2904 wrote to memory of 1148	2904	SpySheriff.exe	iexplore.exe
PID 2904 wrote to memory of 1148	2904	SpySheriff.exe	iexplore.exe
PID 2904 wrote to memory of 1148	2904	SpySheriff.exe	iexplore.exe
PID 2904 wrote to memory of 1148	2904	SpySheriff.exe	iexplore.exe
PID 1148 wrote to memory of 964	1148	iexplore.exe	IEXPLORE.EXE
PID 1148 wrote to memory of 964	1148	iexplore.exe	IEXPLORE.EXE
PID 1148 wrote to memory of 964	1148	iexplore.exe	IEXPLORE.EXE
PID 1148 wrote to memory of 964	1148	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe
"C:\Users\Admin\AppData\Local\Temp\SpySheriff.exe"
1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Checks system information in the registry
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2904

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.spy-sheriff.com/license.php?s=2094271626&a=0&sa=0&ln=0&vrt=3
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1592

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1592 CREDAT:275457 /prefetch:2
3⤵
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.spy-sheriff.com/license.php?s=2094271626&a=0&sa=0&ln=0&vrt=3
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2144

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1092

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.spy-sheriff.com/license.php?s=2094271626&a=0&sa=0&ln=0&vrt=3
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1148

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1148 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
109ff74b0fd744dfef6650750b0a58e8

SHA1
2abe8497208744af818b0599190c83e17ef6b15e

SHA256
9987c1e67a62f45ca1a2c38a6691c770eef2bb815f1ca3a1d1c770ead4acd49d

SHA512
1b5a9a72210f6e4e1add2b8fa4ad4b8eaf8ca8a5bccdaf824f7d549d940afb03d94baae8246d1f00b303fe5f9aad6904f67df35b3c968ffd4d680bc2c8e8850b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_287645BCBA32F35B745B436FF45A6C8B
Filesize
472B

MD5
430a2f7afd1db005d371c4ff054443b8

SHA1
8d92df082062110ba4100eb42285054f467074a3

SHA256
ba736c3410b600ccb29d09f95b2bf6347d508d3fd7add53fdc97df41f83a0263

SHA512
e2033c63ff49eecb4c9d38124b2107ec4743404ec887e1f3c2e5f5a949b48d267005b2213bd6612dba3bbca90cb7386702d47b8cc53e533cbf2cb6f5f17baac3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
daac2a886a8154523fee4605d5a1d0b9

SHA1
ff4b0e7dca4f52c9c9252f88fea8f51965143e0a

SHA256
c0e4794210e89a14bc2e72c3e826ba15bcd0029c9963cc386a1c232730a8bd5e

SHA512
70d8d5840950d0f9724c3a38696fc8784c375f38a7cbb1aa93f0260f6bcd8c5b5cb730140326f25b1eee00ce39c2e82c731d8cfd6c42f0eec36885ae5669ea9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_287645BCBA32F35B745B436FF45A6C8B
Filesize
402B

MD5
11afd5e2d3187100e69eb92615d89fbe

SHA1
5d467b80e4fdb73ff2e89b664165b2b698059d44

SHA256
656f16fc1e9bcd08477ff23d7d27bf10f6339c33ae335398126c748ed46ce0c4

SHA512
49df3cac5bca90a065a0c932758e02b53caf6843fe8176aba661cc2dc96732caade499a40c320030a09f4d2f4e9ddedcafa857c2169e4fd7db6a59df2955d7b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
17bc4562158119b7a885a6118986242b

SHA1
c62456de4c1ff882ef5fabf0bae0e1d22cfd0af9

SHA256
4a40050a10a838d8c370bf0a2393acbacd931a8bac746d9542220bab8816724d

SHA512
064f49f177cf5bf57fee7fa13eef75ad3efa4f87edaa767fce57629753a74895cc9d5ba2b77ded5aea1cb02de0a048aba0c9f7af4e27e5f660b10aebabac9298

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
da4c73176dd95a77251858c0306044c3

SHA1
137a2da63ab170d35654edcbf404a26402cd2a3b

SHA256
17f71c38009ef9cb9b387fda3fd6c417e3a60fd71ba4b6ecf8352a6bf9539105

SHA512
529527328fad1c87776045a988b8c7a8cc0f9cbc32457688b96e91d6cc8f301272d94cadd3edd3417ea322b9bc45dff28035df34d21eb536aff3eec828341d9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
954be63dfbf515339125b0ab57cb86ce

SHA1
26b957b0a2ad0f66df2152d22c82c274a25ea943

SHA256
fa230e4361156853e5885d2dab46c3e722829c1dd12d3c4b0b73520520be819f

SHA512
08837ed9044d85cfd6faf8c78ab88f9f5c73f6d77c04219577ffa114949c5829ac334252174eb4624e41cf72d4b069bea6df06db1ba11b23e1d234e656b927a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
6bb04c5125ba98d1f05374dc0e2862b9

SHA1
dac8b035e155f86d170db1c6f03990c6fbb68b02

SHA256
93a99aeda55f00231bea65a1eda66f3b70d06e6ff8a194a63a3ffbfaf7fd195c

SHA512
bda11e161208fc0ff415606f3e3cc8912cddf6b0fe0bcc3176d68283c487a66eceb05593246e5d30fbe6184c50ea1d479a5842b3d506596e17732a8e4dd761d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
81cdf2e39359009487ebdc1a796bd175

SHA1
c989c72aa5a3a5ca8f4780c5d0c5a10a3f99879d

SHA256
c14ff935b2811f7dfbc911911f2bfce622aa044590777fa989f3f5e5aafdfe6f

SHA512
deb08724ab927e006649bb9d22f773cb94f47515fe144c93eafb7715c30d40e95eec6cbbac662ab543ea476e0f931966b0cd30c1ff1ae5b7f3e2e49102653d0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
073796aa62a7e854d2d0d6652e253c56

SHA1
90816586633b6af6ec4decdf6f7045a45ec305fb

SHA256
49cab87676bd2d0af9f72f83fc1c3e1c34926c8557ca2eaa0d621a0d751bc103

SHA512
155db24ec7e5ac34b7bb9ec8a67e7796d0e48f9bc1531e8cc9476fd04b770f368e06182d0e4ab65b64e95e0d7324063e3c839a56e2a6d5e983a1ba4ebbfa23de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
c798ffd7f974b92400a575f365c16af6

SHA1
e39cfdb8797987d77dc2dca9d734263d952c9957

SHA256
2e161670e766a332433788264d51ea3db8ec6f886e9c2139ee010766010c2163

SHA512
b00ff8453be2f1cf3bd2e33783c1e8f04f5573735bc675313f1bc730721c0910fd135a56d9a506be49a050fc6c91f84fba4cec4df77cac6ab169e9c1cd67e272

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
b95cd7db22bfbed9b40290458e99b966

SHA1
9bc61de09edaf5b594288926a37c9ee15fa327a8

SHA256
e587994717a719eb3d5c6b150dc577a99e851750dc3cb834e81426c68dbf4923

SHA512
da461b36d250682f1828fabaf356a4c242586f7f6438bc5d427534443f0598f872182ac9cac0da9e9228d6110779a0494bd22e4ddc6a2264b1667fa90d04f8de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1ff8ab617aceddc0ea583d442fcf1506

SHA1
8c1a21076c65e37f7033b0480073a580c016035f

SHA256
77b160ba1b2744fa519b740657fcf9a282deb3e55a2bc9dfa5d84b121abaec77

SHA512
49f01e0cd27eeb0c48270bf648151a0a1a6bab455430b597cfb99fa8622ecc604341abd99c4fecbc41f52944e02529514a470bd6ab2396742340df369f321cf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f125e80267282a790030b438044b5fb8

SHA1
5821bd45962707df91744488463d02065825e358

SHA256
921fd7cc78aa728db058a30a191d490dc8aa8ee5cae9551d687bdc3526a80328

SHA512
db4ee10ac21d2061150fb30ceb2fca0ebd064859d11a08f19af59231f4c2986b48da0251d7709a5440003312f1cd63c24c54b2b515cb40c7af6d2cc687a005a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4a679cf334aa8fb933cac656c23888b9

SHA1
b3c5c27f6bfad035b1da069814c9965276e1154d

SHA256
c41a6c1a001c23608d8540c23e08e7ac4fba877f952f185b8d38fae5a9faa652

SHA512
1e6f0ddb71a6bd4c1a272791f9a41fd412e3f8b9a5b752cce35f771cd6cc94806c6e5fc977a5dff322d2c196fa3330755cd805c2f2d2101718dad46b72075bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
3eb5f7620790900a6b3bc92ab9b94e4a

SHA1
1b3c80612bbd9dab5ba423160d1972cba9fa4dc7

SHA256
5f87a2f35d05355416fd201794de97f74f6ba5ff32e2ded68e615f067210ec38

SHA512
01e8c926ed6fe26a550d547e250dcb93bdf9b0f28205cebf7a7e5075603718abfcf09530630ab30ed836cf3c61a90e25e9de1c3b73cd7f1a40e6724541709b81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
bf833ef71ad58c4987faf4d317ce0f0e

SHA1
ce67e168d18e4f88a58bdf25fd636cabe187c1df

SHA256
efc64a8a3d8f3c61c6904217de060d8841b8d72fcaf2fe970d720952c886777c

SHA512
ed19b514ec2b6cf553d235bcac48890fc8f0d1730b1586d8fc0cf20fb6933017a6b2b21d4116b9648ab667707fe3b4793d54ad57b1bd6b4e4cf1832432ae4bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CD56BE41-02BC-11EF-A296-4A24C526E2E4}.dat
Filesize
5KB

MD5
1e31227235976fdbe20d64f10a979ebd

SHA1
c7d555b8c543008760750a466d9ece68adcc2302

SHA256
6224346fd8b1cf11b3f6cbb438e6514d7780b7c7371362c5023dc67f373210c4

SHA512
114cda5733421963d456a7a4a754f0659ef6c00a54f70ceb7b244490189c67ee878dbc1ea177b6c4b3f9dc1e9915185ca9e4e593b161b7db5d279ac7310ef230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{F0875AD0-CFEC-11EE-9B3F-EA6B8212FFD3}.dat
Filesize
5KB

MD5
5cfb007050ef7f80db8e2b7e4739566c

SHA1
663d9e50ff39cfddc51d5aab77d2f45efe7d82d3

SHA256
3f1c776c9069b55238e726c4db0c0433bbd900e193c30ec4e2b67ad0794473cd

SHA512
8d6f79cb3287ea69b3139a3fb101153216d8e1626fef9199e62de6db5f9ecc39a1c80546f0e9a5939ae2f7d88dad52afe546d660659fb20553c79ec9c144bede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{F0875AD0-CFEC-11EE-9B3F-EA6B8212FFD3}.dat
Filesize
5KB

MD5
d7eb94c371446460b34d57c82a047c8f

SHA1
a147838e0c7ff6e8aa4bb70a78897e23763cffc4

SHA256
bcbc1416f5f3c5b95bca69b79698ce0b8716f15705cd0bb49f7a8d8e375a5e35

SHA512
9551705bd156b204bb9be70dd07aaf9e371112835f84331c7c784f47e59524ab5b6c31fa18236fc196d950ab2ce93c9d729fab6b4d800ae536a52b1d70f952dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{CD56BE44-02BC-11EF-A296-4A24C526E2E4}.dat
Filesize
4KB

MD5
dd26482fe269a29abf8a556cd27ba448

SHA1
f63685c756e2c1cb547c102e6370c2522d4c9fba

SHA256
38a073a035d6d315dc32a226357640e440e463f2480b4ccc38e7479681c1a9ae

SHA512
ce1393b7995195e5505a39dd03707b8ed17a735cea71f85dd21d10d1486e9a21553a110c74bf58bdc753bdac77a05ceba95cd47873daa3237add2fca77c10636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{D1812644-02BC-11EF-A296-4A24C526E2E4}.dat
Filesize
4KB

MD5
d7042ec5e18f4231ea696581d28373a2

SHA1
07b0be4975978a2d71e5c2b85ff4c2b3225c137b

SHA256
f6247209b9ade2e8801dddb5e4d7c6a2e00ddb1c883af114ba4524999fda08ea

SHA512
fdda78f0dd05f74f8567b04a33649bcc190afb45fef692f0e583c4c825490a183bb22feb8bb4b754b5a5e58a829cf538bb9f5ab3575356f9df09506a6a081160

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA3DE.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA4CF.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA7254671C5CCC67C.TMP
Filesize
16KB

MD5
ad6a400207a6d459053136b6c45f730a

SHA1
6f129842beb653a881b9baca742351d97a447043

SHA256
e17ddb3cc1b446a86a30bb8b527d39c7129ee0c59caebea0c0a3ec10de924bc7

SHA512
75687d54a88b6d694aad9a8749d6ec27ee013c1efb2adcb50350e746a33688601c3623417e1e2efb6e206f92ad7842810a36a38ff0d3eed46d58654a6b63747a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpySheriff\SpySheriff.lnk
Filesize
1KB

MD5
cbb559c56a98d87be860648f9649f9ad

SHA1
9588901389edc9c381b99c699a2b3f4e12c2c4dc

SHA256
6c491ba01d947361c2f1ecce1ec7dc0c820e63e84535e055b97d8244f8c01e8b

SHA512
169816060649345a33b79874b5249a904900c3db427f61e163914aaddad87320cddf696c87c8167b57b1449323d70f7ef731b4d27a88150b772b2adc9f7d67f3

Download Submit
memory/2904-10-0x000000001B160000-0x000000001B161000-memory.dmp

Filesize
4KB

Download
memory/2904-12-0x0000000019650000-0x0000000019651000-memory.dmp

Filesize
4KB

Download
memory/2904-25-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2904-3-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/2904-4-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/2904-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2904-7-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2904-8-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2904-9-0x000000001B0D0000-0x000000001B0D1000-memory.dmp

Filesize
4KB

Download
memory/2904-26-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2904-11-0x000000001B0F0000-0x000000001B0F1000-memory.dmp

Filesize
4KB

Download
memory/2904-0-0x0000000000310000-0x000000000033C000-memory.dmp

Filesize
176KB

Download
memory/2904-27-0x0000000000310000-0x000000000033C000-memory.dmp

Filesize
176KB

Download
memory/2904-21-0x000000001C580000-0x000000001C590000-memory.dmp

Filesize
64KB

Download
memory/2904-13-0x0000000019670000-0x0000000019671000-memory.dmp

Filesize
4KB

Download
memory/2904-14-0x000000001B120000-0x000000001B121000-memory.dmp

Filesize
4KB

Download
memory/2904-15-0x00000000195C0000-0x00000000195C1000-memory.dmp

Filesize
4KB

Download
memory/2904-16-0x000000001B0B0000-0x000000001B0B1000-memory.dmp

Filesize
4KB

Download
memory/2904-18-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2904-17-0x0000000019640000-0x0000000019641000-memory.dmp

Filesize
4KB

Download
memory/2904-5-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2904-876-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/2904-2-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2904-29-0x000000001C580000-0x000000001C590000-memory.dmp

Filesize
64KB

Download
memory/2904-1-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download