be709af6c21846faa91c04fdab0cc33493459839b068d3cc8b6f08112084a6c7

Analysis

max time kernel
142s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
29/04/2024, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
Size

559KB
MD5

082917028591190929c7e5c7a4ab67f6
SHA1

7eaa7546ebc31cf53f951b3075a3f67312ecc548
SHA256

be709af6c21846faa91c04fdab0cc33493459839b068d3cc8b6f08112084a6c7
SHA512

8f9e726622afacb2a0676da580f4a908dce3796349bb1eab7f1fd5ae7e0f7f2de0671424dc24eb1aaa0206ac9441ef4b5d64bb996deab6216f637223f9f357aa
SSDEEP

6144:1mSUslh44d5nngQFZJ6hPWOkwW0JA1MYKoBdzOiPAQ/V0/lgHR/FJkdm2FqtWV7z:1mLsla4bgL8HwrFoO/XX9D9R7mihneQ

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2944	wmpscfgs.exe
3068	wmpscfgs.exe
1952	wmpscfgs.exe
1320	wmpscfgs.exe
1516	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
2944	wmpscfgs.exe
2944	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\4HLYC1TT.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F375C681-0649-11EF-BC3A-56D57A935C49}.dat	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F375C681-0649-11EF-BC3A-56D57A935C49}.dat	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YP4COIRJ.htm	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\bjyGfFRfi[1].js	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	rundll32.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	rundll32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dupe[1].htm	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	rundll32.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\4HLYC1TT.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	rundll32.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	rundll32.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	iexplore.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\UNIEOV25.txt	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dupe[1].php	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F375C683-0649-11EF-BC3A-56D57A935C49}.dat	iexplore.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\UNIEOV25.txt	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	iexplore.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	iexplore.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	iexplore.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	iexplore.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\adobe\acrotray .exe	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe
File created	C:\Program Files (x86)\259503419.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
File created	C:\Program Files (x86)\259414327.dat	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File created	C:\Program Files (x86)\259414296.dat	wmpscfgs.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000003b60b6fd74bd47bad930d61010cd0a6aeb4911df8b072f5e39c7942bc084d385000000000e80000000020000200000008ee69659702af0e636f965be9280344ff7c4842f9daa93f060f92d0edcbfbd9a90000000672bf00f6a4798741cd31a33b169daeec26295abb6118722d206c83c03e9d33be6a400a8daf96ea4742e842cc3c79857aa2f9b91166d3d4716d3c0acc4494069651f53a2755544a57e6be293138713f25c0c0c493622e873ffde6b2c2af57c1fd0ca7eed42263448e934124d31cec154660e1403585c7482516b3d50aae1d401576fa2bc6ffd760b6466c510f0122b19400000005004d4bbc209b0f7436b7e789443858c558150d936177cc31f0a0f47937d1a883231a15cf47d4b055d9a7e299cfebe615e981fa3c946f19f4e2349652d820e76	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000008814faea092ac9603038ec5ff3b900fed4eddc76c763dd4fd65758fb01ddfab9000000000e8000000002000020000000db3b39231ec62194e7204f102761206a73000d0b908bfcb09304c385aa7250ea200000000c52e77613b7fc8c66ce59fc23121c4e21d879e3a43a377380a993fdc663350d400000008d27a18f13cd3878d8278a0ff1face355c5199b8d39c50ff51c8d5abe2939c5841db1c7c011bf915029b49c5ed215448a35f1cc7be45838ecc8649861b0eec1f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e01cb882569ada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420571794"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BE591881-0649-11EF-BC3A-56D57A935C49} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 408a02ca569ada01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing"	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-13-ea-e2-3c-4d\WpadDecisionTime = 20be88b7569ada01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = c0b41eb8569ada01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807040001001d001100000011004c00	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wmpscfgs.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = c0b41eb8569ada01	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000004281f01c20ecc42b879a319cf401f5f00000000020000000000106600000001000020000000b98d6605fec5fd5fa4b78206d306ce6937f2ea54f940685dbe9893fc1f220f33000000000e8000000002000020000000ddb8f9b1b7d1afe16657d928e43ebffc6a5a9320d5d9230b7995611b3ee65504200000005df2044523290b01eff449d489ddbcfaec40440f33c49d63f8f24f0284c1342440000000086b504a0de239d91579db71bec929fcbca37be311f2448861fe856c492394f7a35b891a9ef37fa2103deb49b0888043166b5d65e172ba7e7822e1a5aa103e31	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	iexplore.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	iexplore.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807040001001d00110000001700740202000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	iexplore.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
2944	wmpscfgs.exe
2944	wmpscfgs.exe
3068	wmpscfgs.exe
3068	wmpscfgs.exe
1952	wmpscfgs.exe
1320	wmpscfgs.exe
1516	wmpscfgs.exe
1516	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
Token: SeDebugPrivilege	2944	wmpscfgs.exe
Token: SeDebugPrivilege	3068	wmpscfgs.exe
Token: SeDebugPrivilege	1952	wmpscfgs.exe
Token: SeDebugPrivilege	1320	wmpscfgs.exe
Token: SeDebugPrivilege	1516	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2736	iexplore.exe
2736	iexplore.exe
2736	iexplore.exe
2736	iexplore.exe
1932	iexplore.exe
1932	iexplore.exe
1932	iexplore.exe
1932	iexplore.exe
1932	iexplore.exe
1932	iexplore.exe
1932	iexplore.exe
1932	iexplore.exe
1932	iexplore.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
2736	iexplore.exe
2736	iexplore.exe
2644	IEXPLORE.EXE
2644	IEXPLORE.EXE
2736	iexplore.exe
2736	iexplore.exe
356	IEXPLORE.EXE
356	IEXPLORE.EXE
2736	iexplore.exe
2736	iexplore.exe
2644	IEXPLORE.EXE
2644	IEXPLORE.EXE
2736	iexplore.exe
2736	iexplore.exe
356	IEXPLORE.EXE
356	IEXPLORE.EXE
1932	iexplore.exe
1932	iexplore.exe
2188	IEXPLORE.EXE
2188	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2944	1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe	28
PID 1956 wrote to memory of 2944	1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe	28
PID 1956 wrote to memory of 2944	1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe	28
PID 1956 wrote to memory of 2944	1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe	28
PID 1956 wrote to memory of 3068	1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe	29
PID 1956 wrote to memory of 3068	1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe	29
PID 1956 wrote to memory of 3068	1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe	29
PID 1956 wrote to memory of 3068	1956	082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2644	2736	iexplore.exe	32
PID 2736 wrote to memory of 2644	2736	iexplore.exe	32
PID 2736 wrote to memory of 2644	2736	iexplore.exe	32
PID 2736 wrote to memory of 2644	2736	iexplore.exe	32
PID 2944 wrote to memory of 1952	2944	wmpscfgs.exe	33
PID 2944 wrote to memory of 1952	2944	wmpscfgs.exe	33
PID 2944 wrote to memory of 1952	2944	wmpscfgs.exe	33
PID 2944 wrote to memory of 1952	2944	wmpscfgs.exe	33
PID 2944 wrote to memory of 1320	2944	wmpscfgs.exe	34
PID 2944 wrote to memory of 1320	2944	wmpscfgs.exe	34
PID 2944 wrote to memory of 1320	2944	wmpscfgs.exe	34
PID 2944 wrote to memory of 1320	2944	wmpscfgs.exe	34
PID 2736 wrote to memory of 356	2736	iexplore.exe	35
PID 2736 wrote to memory of 356	2736	iexplore.exe	35
PID 2736 wrote to memory of 356	2736	iexplore.exe	35
PID 2736 wrote to memory of 356	2736	iexplore.exe	35
PID 2780 wrote to memory of 1516	2780	taskeng.exe	40
PID 2780 wrote to memory of 1516	2780	taskeng.exe	40
PID 2780 wrote to memory of 1516	2780	taskeng.exe	40
PID 2780 wrote to memory of 1516	2780	taskeng.exe	40
PID 1932 wrote to memory of 1596	1932	iexplore.exe	42
PID 1932 wrote to memory of 1596	1932	iexplore.exe	42
PID 1932 wrote to memory of 1596	1932	iexplore.exe	42
PID 1932 wrote to memory of 2188	1932	iexplore.exe	43
PID 1932 wrote to memory of 2188	1932	iexplore.exe	43
PID 1932 wrote to memory of 2188	1932	iexplore.exe	43
PID 1932 wrote to memory of 2188	1932	iexplore.exe	43
PID 1932 wrote to memory of 772	1932	iexplore.exe	44
PID 1932 wrote to memory of 772	1932	iexplore.exe	44
PID 1932 wrote to memory of 772	1932	iexplore.exe	44
PID 1932 wrote to memory of 2252	1932	iexplore.exe	45
PID 1932 wrote to memory of 2252	1932	iexplore.exe	45
PID 1932 wrote to memory of 2252	1932	iexplore.exe	45
PID 1932 wrote to memory of 1772	1932	iexplore.exe	46
PID 1932 wrote to memory of 1772	1932	iexplore.exe	46
PID 1932 wrote to memory of 1772	1932	iexplore.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\082917028591190929c7e5c7a4ab67f6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1952
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2644
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275477 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:356

C:\Windows\system32\taskeng.exe
taskeng.exe {8D557286-CC8E-431E-B1D1-14FB34AF1FA4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- \??\c:\program files (x86)\internet explorer\wmpscfgs.exe
  "c:\program files (x86)\internet explorer\wmpscfgs.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\System32\ie4uinit.exe
  "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:2188
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  PID:772
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2252
- C:\Windows\system32\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\259503419.dat

Filesize
4B

MD5
4352d88a78aa39750bf70cd6f27bcaa5

SHA1
3c585604e87f855973731fea83e21fab9392d2fc

SHA256
67abdd721024f0ff4e0b3f4c2fc13bc5bad42d0b7851d456d88d203d15aaa450

SHA512
edf92e3d4f80fc47d948ea2f17b9bfc742d34e2e785a7a4927f3e261e8bd9d400b648bff2123b8396d24fb28f5869979e08d58b4b5d156e640344a2c0a54675d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4ef92d65517ab6343f192258f55c22e

SHA1
35076aa1f684f83cd770039f36280108e539423e

SHA256
f923431d8837f32429cf86e0a1e0bde307b3d4f64cfc3ff149226f195ef76b04

SHA512
08194a9e177682da2d5499aa7290ed37fae6e1c279094cf3a4c1bd8cc4bf9140c648e9072bc8d79e3e9c03075149e0edb6abed64758f8974dfa92a39baefe541

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb01a327fde450156fbacdffbb8a7aa1

SHA1
45c62641574b2608be7481b0927ea4626e704a27

SHA256
a3270f52aabba8a250bb71ee70815d08d85c9aa1af745e75997823d005ebbb98

SHA512
5dd2ad1accf51fde76470e922ae615fda91c6a6e288f2926af94bea1f45619e5f0fa78cdc37bb99d3fedea763675371c9194d49337c1471528ef00c06c8a37e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2890f2f46226b21e5533dd5a95419d2

SHA1
05ac92aa580119151b19fa05e055758e72c90d5b

SHA256
cc8516f2dfabc717b04071932369d2a84b06422d479a6f74ddb9122172795438

SHA512
b38b592e12767820ebee51befbf074367e9c9a3dac9b90ed9af6aeba006feae37366e68b68949e3507f240a881616c5985c53739acf8d1f9e277d734f749de37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b2bcfea382f64cb3ff0d6b7db871b39

SHA1
9a2c156efc9237ed9477b81d2e3f40fb1c28a0cd

SHA256
037fd8f3b19aeb14a7902f79831892a4de6cdb2f6651c99e157590644253323d

SHA512
ce175ceef917b947e819de2ca971a801fc70164e5dee630a1c4eb8574c142f5d4ccf3b74bfff763f5a293dd81b206f06e0ac081871865a1f31b17e17fb844f0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4c511f7f57f9134002543b52f89f0dd

SHA1
c6870f754c0c6c98ac98837a83997bd65531c012

SHA256
345ed3561c53b26d3e903a37007e34f900e5f89fd4e0ba84978c450c0b0f2124

SHA512
217ab03bf94328f6cf8e9e6f26320164eb55323540e17418e0a6872d261c9f4bf8b111808dbb119d0d32876e18babbee7318f7256a13b340df312df3bb5d83a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d11e3946ea125086a256034d9e9bac9

SHA1
1b0d088cba7ae12126c42fd4082813e4e8d1b8c9

SHA256
65bcc68730b928bd41fd146fc0b65404b30f792aa3d8f4708f307be804c83d17

SHA512
0d99567df1ae8b6b27c2e13661c7df27651804b4bc9504ec07b55d5751a4078f4d6009e49a327593f34d01abf190b7c2bbfd941745e8ddcecd58c66a7b3ac99d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08763665ef0d327f5092e70116ac72df

SHA1
7b4697f97d5b3a12382f6b345a3e28be1f3c4c6a

SHA256
fafa803d3f7863d2bb66ead444e0f5df76af3c09e86fce486eb2784b182381bd

SHA512
4e1af5d3575368b5c6c51a32129d90f93712ea33aef8a561cbaa068d657030f0229a508898994374889713888f6ca962147e609f3c52e4387a569eda5e595269

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1522fa265f58d9bab8debd892f02f37e

SHA1
4532494b47f8d587c070139cc8a700c1e1b38b71

SHA256
39b59c29720bbff506d3b520f959c3f41db101b6533c80e1b34d306f47bd8eb1

SHA512
6ae38ba01c78dc4a9fad08a4a9c829a8e9cb9eb3227534965c957f7cee48f61ee5f35f985d3c6ab33ea5127b694fc5da839c157bcafaec2288233f59e69499bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e1eb89bb8e39941605999b6a4003135

SHA1
332f99128af120d681520b4d386187cabc1d43d8

SHA256
b17518a69b5b362c53b08ec5e7d62d9f2a064f594800226d3b6c53d78cfdca82

SHA512
26bfa43f1bb2c8e2cf9948b83c47632da777f3f9228abfeaa8d9bf412adc9cd154f9a83d26cd420d9953c93b918f26ba1361f2dd95618a0dc623e17114fc3d13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89d7606929a06e671f9eb83fe4573bcf

SHA1
32a605c1b7b3f70cac96ba927fdc53d77b4deea9

SHA256
9e74158cda31134863b7e1ace86a426e6b1870263a06d771eb89a1da25720a9c

SHA512
021ca87c5b921cc467ea2dbe29cda0c7ea79e11b6d83f9191a02ae0c132468cbdcb2fe08da16cefab1b632c7220b4f5accef2a114cab2f644102a991ce59c8f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
82d3bcc8ee956f47d40113f0fc72f599

SHA1
bf4bf5187eb4c89f362da0f298123fb522cd576b

SHA256
e0c636c506935c2b15f316fdd42f9acc7012da23c4581ffff30167994ab61996

SHA512
185c9e3f50a6caa2706699256d541036624df9f3dba64ab673f80184f1caf57f65f18171c3c0475be51bb2f3b0996c392d1607912fb5a8e84d159971f4cb8ec8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffc7644b33ca568a0d7458f530618753

SHA1
19dc23f98814a4ba66215dc49f443a15925bde8a

SHA256
3d3acb26decfa2a8f85e9e15a62d12ea9af173b782e96d7cf8559b263bccdbc2

SHA512
0a13b178d51fa69061317a2883ad13145d4d7f54988c6887fdab8fd70b86f897a1d8ba649bad59e1ec86cf1340b53537b2845d95a07f40d6590b19980883194c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f234e77f497864c564bc865b43b48b9

SHA1
f6caabbb7d88fb42529d95e35b56061c94278fef

SHA256
ba16ad0b779608a206b9e1f9929d505bfcbac21572f7131ac15f130132ecd104

SHA512
5f9e7ae8eacde9f333d57c2519711b26124051216ef2a4f049619ffef04cfeb34f1073faabc45638555a432d21897195088ce24112aa980501bc5750d30513d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d168011931d5637dd6633096e8eccc7

SHA1
f78a89d1deba6fd95df252bcf985b24c710c7e35

SHA256
55234ba52c5f0346320eb1c677995105cad2e52720bb83738fb0d97d9bbd3ae7

SHA512
930dc462c2488804ebbae7e40e3c4b516937dfe5f85c3c7b7940de34367a696fd2d4596a0ec418ac40298d3ba6372aedbe89ffc2f00ba8edb7a51212a511a7ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1d6ff2fa0c88f26f70393a098c8ea617

SHA1
0ae4ca6e27862ff6a078e97249ba522f9cb8d2e4

SHA256
e99a622997a704c91e62b577bebb8256b69ca9b58f6fa9ab6e0103c5272852f4

SHA512
046417e9a677a226e13a9acac46ec9365e5811a51323ddbce0f073cc40a5ec17ed5bcbec4ec2a2807b415e08147b602e05e2a74988a6b19020fae4010af81877

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d24396e61d4bbe893f801a627f999c6

SHA1
d3f0636000a36a93a35594dfffd65c4745735504

SHA256
5766d9cbdd4a72bab7ae8af4b36b2f413add73a433ba2a974c0de4974a74ab9d

SHA512
fb244aeb94678d62fd37a57dd4257defe75767cbab0da8455797e5bb1f74c7473e2cdad370b36a20ed110f3b792c0e8d8d2ec46c33627c5bf2d85c16a388b4f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
817f18f148ae9d4213154ecc49ffd4ea

SHA1
4e7cb7053b082cf6673a1c16a97cc1458564f3b2

SHA256
e81e0dca3d978818406c3455440ad2e954b6c0d35baaacc097409ddd4620e086

SHA512
e56f9ff7ea27da15ddb92ab1162274357857643f2b02496befecbfb850ebad9096fcb30f33b33628981a5ab4bd5068322c66cbee7820faad36e29183a933922f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4fb6aed94fe9116b07dcaf07be61d3d

SHA1
32350d453c5ef317bc98137cd1cb3116cc26981f

SHA256
434288a41e81f9d016beb86fe90fed8986e62152fb4073ab4a1ffd3d8c6e7571

SHA512
706139c7eb8ecd9a40ff39827773a497d90a7bb579b1dc4d45b5945d3b0ae9eef4689ad5f3adb26a84c67f3201293f7b00aa225c168d49c70fe00bb4033c8b91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ae87a324ecf94428e3f2f38548d260c8

SHA1
666929f047944346909f39191af55683ab20412d

SHA256
95573c05ee7677a57e15184bef366d6f937b93ba43260cf3c7206ab1a3cbaaed

SHA512
afaf6eb6d6487a1d1ed83547cd54ef328f57bcdc62c94293fdf556633c34c457cd226bf344a5a7ccc073cdb61efb32c471ca2c94f63bc6fac81e522a1cf1e011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JB8Q1DZR\byKazQYTA[1].js

Filesize
32KB

MD5
f48baec69cc4dc0852d118259eff2d56

SHA1
e64c6e4423421da5b35700154810cb67160bc32b

SHA256
463d99ca5448f815a05b2d946ddae9eed3e21c335c0f4cfe7a16944e3512f76c

SHA512
06fdccb5d9536ab7c68355dbf49ac02ebccad5a4ea01cb62200fd67728a6d05c276403e588a5bdceacf5e671913fc65b63e8b92456ca5493dae5b5a70e4a8b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7477.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7588.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
568KB

MD5
6b8145a39eeb47513ed3626bde246155

SHA1
cf517c978513789ba29b9580f9071cb2ef9a14e4

SHA256
61beeecd0f04c2fdac8c3b3c84a8fcb38cce1bd81b0904c5659b43c76710bf54

SHA512
bfa1f9e60aede9dde82b3e3b03a0a64ce6d18edf8d5d2709a24da845ab411c2523b526790a0037548dbeb8d2e6c46428fc516c362189e3f90b2fb4149059ad91

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF05D4701A38E55EA4.TMP

Filesize
16KB

MD5
d66c0835aa00e2ecd64d9d5b5373d544

SHA1
7873e80fba9c2f9d3be46b56253aabdee8f42bd0

SHA256
47e90df58233c73e2142a7394e980f31fbc9ec813a459ecadaeb07a619075ead

SHA512
c39aa6fd3d149bbb1a19c62be7b6b36777dc4bb728fc51cab5743703569f4d6ec76584c9dabfe88be84f9cf686ee069be393748b3d51c25ac1efd0d6dfea7689

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\92EIXW98.txt

Filesize
123B

MD5
52fc1afb62c4f486f7cab76ebf3f4f60

SHA1
d256020d1d7afe6c5bf0a26794eb33f5148e045e

SHA256
a7d6dad5da796882145a9849cf8d597b9850b58e5342d767eeb81c1928c77fa6

SHA512
e137686ec69fc7c61a32c501d1e87b521c1726c0eeadd55f3e0d8f24d824232bfde61d06f65827b88c7332b1d7a914898209ddef816dd679e0454d3b499b001c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\B2VBFQ7G.txt

Filesize
107B

MD5
94f2b8555850a05e8c0ea4115a4aab92

SHA1
9e8627d6ae5d18d0ec78487a8335a2d868f96ad5

SHA256
4b1d0bfcad9e949d549978482343df1ac95872d8bd35c92f9cf47596f34c0fcc

SHA512
364050670ae3d82309bcd02f9110a3eac70ed280ec9619bb2193008f1de1fe82c2dbd6db2fb87749b60d3bdb172cef2c6970cd38159ecc3ca475470a187f98d1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
82d483a171f6aa91e96f846fc0c6a1c0

SHA1
c3daf97834961c6d091ebb08348a526dda4ffa71

SHA256
a8f4fb5df95c21a383616192f0ea5acd422d6f6df8a9a5eacc3c216c96776df8

SHA512
f3d6b228941647f228798365b1b08410e2f4860b34aba43abfed92e95e4dd3796ebbdeb36daf94c370e694949c1f7f90da3b55cebf40433c6759b0b910eaa8be

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5009b7c0424fab8f252ea899491d3ec

SHA1
8b01aa5ce785c79019b894fd36984e2ec07dc8b2

SHA256
00aba9d645ee86400ad92aebdb3ca31805f157325dff9e5e04b9fb2049037e4c

SHA512
ab2406df4bf56cd808327e603c2fced281baa3272deedb22b7e7b05f1028bfdcacdb25dae2c5a70a9f4484138504d08f4f768cbb8ed2eebfa3e8258fea7d1fed

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0183a74d6b0a590b924c3b1f633b3eba

SHA1
480a2c0ae9f9e9d7a614f7cbb47e2981c54ea7d7

SHA256
2bb83e40b2a980afd4e33124e33cb79b034b029d838681df0ee32bdb33f97262

SHA512
1134dcd078f7b869fac5ac9e30f0bfe64442c38dedfed36bf9e5a1e200e37158ae59034bd464b634d0c16cacac9b6bd04ce56f214c1e028a5a20305110280c35

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8234cb80cc44e7f197fc406f90ad55b4

SHA1
3e54b4304f31b05f773a8c0907fee81627bf65ea

SHA256
cf398da3146ea2a0dbf371251ef9bb124c34ac7465fd60ae23f296d5dfb014b6

SHA512
76f78096167d73cdf772736e087ccf1420de53c7c4c1a7613e17f004491ecb6e41bebc65d64e520ea0bbeeae1bf6e538a60c42e7e71d95581787b5b047b947f3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8b75545c01d8a96c12ee4cdb9943e37

SHA1
83035006fa3d64d270b2110cca4e8e0fc22f313f

SHA256
393c2e30196dd3674835cda50778b55ebd08c1c37821dbe4eb90068998f09a9b

SHA512
75360415af87b34be64f4f841452d77e95ccda103774e81fd9451197ccafe6d1178e168ccb538005045743f82cdb459905194f05e159437c869b1fb00a736600

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d933694f204d59cf0461b091d7f394cc

SHA1
9b3022116b926f76c621699f5ded9635b6f8de28

SHA256
ad11bc1dc46c346e7405a637df9d0705fdd56e51e41fe03afbdef6623e2daff3

SHA512
cdbbcf0d7f568656400ed240549eb064fc13327af9ed93c9e34fb1193fb19c8eb06e77bb80061f8528a134d68b920e8d35cb3009e9739f53f5b0f1da019c844c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87bb390a385b005610cd09bc83f8cde9

SHA1
2a228dd8db2779026b2db7329ee44baac018255d

SHA256
3666de6b3b078088f24468d1756f60ed3b880a606ec10d372684cfeb8d5ea5be

SHA512
99235e512d0c3fbcc6780dde022e265e5e2789f89c6809b9ef45067d60fbd265d9bad9f995debe86667bc0e6bf809a41c410c307a86b23de47067cee40917716

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
125ab558143a8de89284c6c542bc6e0a

SHA1
d4a90bd8de653df96376f9e65e8dd26434ec11ef

SHA256
3908dfa8a1f6a7d8451359158d5cd3969c2d509ee382a8a3db9ac164a6cfa996

SHA512
f5a7f1108cbe1f0634da430fca734b72e97418720a88c2d54aa1662edb10ad3ccd7b34f0c349f20bcd25246d677963c8df45615b6d701317845352e08701d6fa

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4392203a3410f7cb28ce892723646195

SHA1
1a23636a8bf463fc7400459c87c6c0488f508775

SHA256
2cf70c6f1c242e37f0609bb2ffa8e6cf6f054a762ef2684cc5ec34bb6a279ea3

SHA512
7d93ff2c85ace08b1d5757e01eb619edf2d562f36ed339a3b5687ad962d835235736095390e1656d534afbe5c46dbfa2ac2b38d257444be9abb2ac8b97abd87f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
713e10cbb714505e11dfa1e1145fe30b

SHA1
02bc60e735382e633a2cf50dabd569ecbf219ab9

SHA256
f27b5045bfa019e5e0f2fc242fb3700dd1ba7faf025f6a7380a0131b093e0e97

SHA512
58f61ff8f502c159d4242d1e32f019d198050c96be2395a80c01257d14ff6914a0f7325129c7b867ccdb12c335baac0497b28ae1dcb52030d35f314036021d7f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
66b7bcfd175def81ac4f27fdef84dad4

SHA1
6087216574e8d98597085ecf384a00e928b5d02a

SHA256
f2f2c188d433504f3aa07830177915e7f18b08886c7a7ec4ae3d9a5b01905231

SHA512
79fceda87474f3447a01a3cd68044bc37b84aae4e85e031a024bb9b915d9f969e27364b28d6286fc94a53023c2211ab41a23f0de6e04834dcdabe820d40ca969

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cfb2b56655cfdbf8e4639bb4f18114b1

SHA1
0de4ab93fd0b6ab20d7374806a76650d463e2c4e

SHA256
70f00d9c0391e5359da27012e68f65c95cf644af04a652b0e37844779d030f95

SHA512
a66ef92fddb971ca5993dfe3ee53684091cf2379c4b9fc83f1d20b8e37d6f72ad1f090e504da84522d04f979e003c32a7e0f976081b3b9eeb4a21277d9215675

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bdffd1336242a6effff668ef49e786f8

SHA1
23df342defd537f6c5ea0fde27a1a6baf448eec9

SHA256
e937af4a5ffa7a739f73eba31bed5eaab34c4513dde8c154d32a93504d1ebddf

SHA512
661589d5b025cff5db3218e4c0d5a887a5ee0f81ae120bc2a89529768fd6e80496c02931e4b12714dedf7b327c51d4c5f225c58f6dda62af84684d29665bdf7d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
334096a0cd37bc9bf6748db8eb9c6274

SHA1
b1f76246740571db2332774189dd7567c0235ee7

SHA256
0fbf1581d7b29b81b3d8c7cf0a86c9bff1bb485f8d3be5f13080f7b6291a80da

SHA512
18eae10cef298066e10dc58a2eb5247bc667863f85494282110b0296f6dd17546e2689421f4079d86607929b95397c0b9f108fd030b0b02bdb595a8adb886bb9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
232ec7ac61aa2766d78a5b5618921350

SHA1
2856ea06a9429848b817ba6c316d5d04bee3eebf

SHA256
49872cd2984289aacbe722b529160c3304508f3d572caecaeabed69cdf58756d

SHA512
4eaa95ee42bb456e7dfdc1e557b35a6fd4d8f93a47abf8e0d9cc638c1e61ca0fff35620fd51ab09bbae5c03e052b177287c40e8b6d2a73afece587f4931dc62a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
7e265a004f7eb2a60a98c3ea3bb08811

SHA1
4722bd945fa502ed73f83ca87e8dde0bc615d898

SHA256
d4c684aa324cbe4161d94298637918c3d14067e6c0c374b6dc5aaae5b6793a10

SHA512
2a34975c3ffb6442dba8a0a42cd8c9da21d45c3eb76f2250f89d9a49abc90dfdc29f06f1644e3cb4fbc5c97316d0772e6c49fcc7cba7544c2fa542f35f67ce26

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabC813.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarC827.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\wwwC6E7.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwC6E8.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

Filesize
5KB

MD5
04f5ce0924fe3db1ccb22ec6b3d7f5a4

SHA1
bcd52cb617b65ed03dbe84ea4c0b992e4f76a06a

SHA256
6dadbd8ac23fabf5862ac7a8c47731b43da72d59c33068bb85d1e27ca99aa427

SHA512
15b9920ed21a1879a2b0881c8adfbdb16bd426987df75dc52afbf3e129fb074ebbfa46db2454e0ae761dbac735542f199c7424d9b2de52d76c72771dc181763b

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

Filesize
4KB

MD5
0e1c8461256d3e28fe6f3108c9ebaa71

SHA1
5364697dd5790bfe5c6809418c858a90f25dc805

SHA256
1042936afcdd04815aa9c69d2d494054414fee48b7224c4a91af233426e018db

SHA512
85270dee0ebdc59f9bd64d56601310200b7f299b61724147a861b06f2f69eb15c22243a6f06523a7c90c1b00ed5ee33bebe1d574630aade08103cce931f85081

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

Filesize
5KB

MD5
86199267042c83c577627e4b9a376bac

SHA1
e6d59898e0273788c7b6644e3903812519dc3282

SHA256
4e30b72c3b25f81d9cd80b19d26424f65c6ab35228b305d9f6f0cf757ec2888c

SHA512
8016d4b162154fa506203af19f57d4f14b00d6742d5a89047f57b582f9cb96af8e16405ae756b615badd3264c5661d40fd0e52963e01c01efcb7e1288925aa13

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms

Filesize
4KB

MD5
d7b259c3fcab937116df1ba7bdbf9440

SHA1
dca993601324a3397b9277cdc0034c9a1728754b

SHA256
d48173ec0c8cdef8e84469eacc7597587bf8cd16484e9604184d49fed9b48325

SHA512
43af4c370936dd77ee781277a2f1caaac7283d8b58a323532d2be55c9aed53ebabe3f0deb8b89b73923b995277bbb11092738fcfa6f8f80e21613c7d16885754

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms

Filesize
28KB

MD5
81eec26989aeecc7d5f8c3f79e0f8508

SHA1
ffc0fdaa64e339c02aa17bae27aafa06fe0974a1

SHA256
d6296f5a1166a13682d6455cbf679cf58ccae3192742b4242d371341e7ebcc9a

SHA512
6cb3c171d3335fc22467d3918a29cc08c9d015c70be714c21e205337e392eb48723d709b0c1c5b3447b5449ec9c2223b1594abda110b61745e17cfd9406ef0eb

Download Submit
\??\c:\program files (x86)\adobe\acrotray.exe

Filesize
573KB

MD5
6f2c925cf83973a93a7ca548abee5b5d

SHA1
6ebe0b6fa8b9a2370c831f5302f608d3024f4b2f

SHA256
ce4d1daa8f1a152721d3a6775b773f306823331016024ed81dc186d83e6d6e7c

SHA512
f607a29bf19dc93df8ed08d9c4c5dc27ec6a1aa6491c1a41ee575e2e92df047a4870ba4f857d1b5d0de450c6def1528cd63995a574355029fd7ee8ee644fc71b

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
587KB

MD5
9f930493eee8de155fb57a89f41143cb

SHA1
0ff30ed64e684ac887a2494c87743ea7da4ae452

SHA256
4242ad984387eb520ecff4f02823fb077c5a3ff52361d1a86c0869770e471f50

SHA512
eb9d6aa3ded081a84b454f90f1b1182bc04eb015c1c3492b1538f1a872ae132921c5de34afdf3dea09510d6a4a4a09d84ef6a3c61d2dd86d74fbf0d09b715f72

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
566KB

MD5
406df241563537bab4f214677e749679

SHA1
5805ff0cac5e7710faca805ca5c6bd617595655a

SHA256
33524fd29aa73ca51b0267db1145dbaf3d3ad8019a2ac6e3c02b614ee573b79c

SHA512
31a153c5469e4f1024154a6b3cd3f18db2954837ff219b422bd9cc5837a8b0a4fa0951797e6fa01a079de9d376ee83c6e8b58c9d5e58e3753e15263d4a237702

Download Submit
memory/1516-1085-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download
memory/1956-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2944-59-0x00000000002E0000-0x00000000002E2000-memory.dmp

Filesize
8KB

Download
memory/2944-23-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3068-35-0x00000000005C0000-0x00000000005C2000-memory.dmp

Filesize
8KB

Download