9c5dc36861b765b5b3fe9a9124a0b57022e0d3879739ce886bbd1afafb4889f4

Analysis

max time kernel
121s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05b9f7939ef42309ee576e036c7a522a_JaffaCakes118.exe
Size

534KB
MD5

05b9f7939ef42309ee576e036c7a522a
SHA1

90d684a3d0a2053ce8b2155935442ad2563699bd
SHA256

9c5dc36861b765b5b3fe9a9124a0b57022e0d3879739ce886bbd1afafb4889f4
SHA512

52bd6e5e06ddc74e3b6ee7a624599334ff1965a5d233065163c4fe5715e5cb7eb4c5ae7d484817cd7b3b7ea99a07fac39689b2dfb913603c1173230d2ff25e06
SSDEEP

12288:OelBeCEWuICuNWF+rZj4z7uQm3rG9FATk9yg:BnyWuIDvr1Ko369FAT+

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2276	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
380	RemoteAbc.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserror[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NewErrorPageTemplate[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6992FB61-2EFB-11EF-995F-5A791E92BC44}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6992FB63-2EFB-11EF-995F-5A791E92BC44}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserror[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6992FB61-2EFB-11EF-995F-5A791E92BC44}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NewErrorPageTemplate[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6992FB6C-2EFB-11EF-995F-5A791E92BC44}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 380 set thread context of 2128	380	RemoteAbc.exe	29

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RemoteAbc.exe	05b9f7939ef42309ee576e036c7a522a_JaffaCakes118.exe
File opened for modification	C:\Windows\RemoteAbc.exe	05b9f7939ef42309ee576e036c7a522a_JaffaCakes118.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000080ba212e08c3da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6992FB61-2EFB-11EF-995F-5A791E92BC44} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D48F5A0-6789-48DD-A812-7B788F50D9BA}\WpadDecisionTime = a09cb62d08c3da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D48F5A0-6789-48DD-A812-7B788F50D9BA}\a6-5f-b0-80-bd-fd	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070600040014000b0033001d00170200000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070600040014000b0033001f00cf02	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5D48F5A0-6789-48DD-A812-7B788F50D9BA}\WpadDecision = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e8070600040014000b0033001f00cf02	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-5f-b0-80-bd-fd\WpadDecision = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = e01b242e08c3da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425046398"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE
2032	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 2128	380	RemoteAbc.exe	29
PID 380 wrote to memory of 2128	380	RemoteAbc.exe	29
PID 380 wrote to memory of 2128	380	RemoteAbc.exe	29
PID 380 wrote to memory of 2128	380	RemoteAbc.exe	29
PID 380 wrote to memory of 2128	380	RemoteAbc.exe	29
PID 2128 wrote to memory of 3056	2128	IEXPLORE.EXE	30
PID 2128 wrote to memory of 3056	2128	IEXPLORE.EXE	30
PID 2128 wrote to memory of 3056	2128	IEXPLORE.EXE	30
PID 2128 wrote to memory of 2032	2128	IEXPLORE.EXE	31
PID 2128 wrote to memory of 2032	2128	IEXPLORE.EXE	31
PID 2128 wrote to memory of 2032	2128	IEXPLORE.EXE	31
PID 2128 wrote to memory of 2032	2128	IEXPLORE.EXE	31
PID 2292 wrote to memory of 2276	2292	05b9f7939ef42309ee576e036c7a522a_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2276	2292	05b9f7939ef42309ee576e036c7a522a_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2276	2292	05b9f7939ef42309ee576e036c7a522a_JaffaCakes118.exe	33
PID 2292 wrote to memory of 2276	2292	05b9f7939ef42309ee576e036c7a522a_JaffaCakes118.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\05b9f7939ef42309ee576e036c7a522a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05b9f7939ef42309ee576e036c7a522a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\6324.bat
  2⤵
  - Deletes itself
  PID:2276

C:\Windows\RemoteAbc.exe
C:\Windows\RemoteAbc.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:380
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" 83453
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:3056
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6324.bat

Filesize
218B

MD5
5cc4806cf003c1a5c7d3109ac6f08283

SHA1
a60dd5631aaada770d7bddbd10352b87362cd2cd

SHA256
c7ce3be105e38c8f19fbee7a2ea70427177bbe409f3fa8ff538634235a470f64

SHA512
3802d89612743de705a5e6b94475dc8ce9396cf1a4b3443b8f7ef04d17ccddfe6693adbaec76968d1f4bf2a099f10dea0741ce198469b986a53d87fb6bbef1ef

Download Submit
C:\Windows\RemoteAbc.exe

Filesize
534KB

MD5
05b9f7939ef42309ee576e036c7a522a

SHA1
90d684a3d0a2053ce8b2155935442ad2563699bd

SHA256
9c5dc36861b765b5b3fe9a9124a0b57022e0d3879739ce886bbd1afafb4889f4

SHA512
52bd6e5e06ddc74e3b6ee7a624599334ff1965a5d233065163c4fe5715e5cb7eb4c5ae7d484817cd7b3b7ea99a07fac39689b2dfb913603c1173230d2ff25e06

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
1cc1310de54c12010755f2f93f7638ff

SHA1
a9afbc25bfec0b9a9217b98e21b8490956a9d4c9

SHA256
b3fa442a00823cdca5bc6f9b0ed61cfb17e23cd5eb5d453cb0baf43ea0517bc9

SHA512
fe73b72379d7bc4d0036b608f8b91615186d3809fe80e52e815fb38062236f4a017739d0de8c9e7cf70e7eb44c1552fb477d068aac128375f83e8514b253e7e9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2eb0b9bd1c6f76d61367f9400c7ed8c

SHA1
910f2b884a1eb12b1213b4a538732a7122af62dc

SHA256
a92279ad6251b0f9e10718f8b149204fdd02a90d79b8e02331ef7b0691125033

SHA512
0c97a1f50c6289190da157f0378daeb670dd5529afed121007fb24d5f86335d8e492d737d94b40d7b1b51c41a81c4df984c336abc7cb06875aec292620a0eb08

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
202a98060826056bb7b7c192a0511346

SHA1
023005cff237cbe7f1756aad99373ba3a35b609f

SHA256
8b5f706bac15346b8077655876161e3d866ee095cebe9951888fa7ce0cdbc7c0

SHA512
fa20af5e7286231ac0291415ead2bb9d544394eb6aafb68502cb2fdc15b1bea56cb504e7244cc6ecce60a64623c07380c8bd3d1904aa005a5d7756b5aa5479cd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d7c9072e73db99facf827e97c66d65c

SHA1
1e1c40698c0ac22e35b4bf3a7381991b5ee7fa6f

SHA256
b9ca1d86c98f4f662967e776d06e170c3b3526bc92eb4eafc1c78e485a4c909a

SHA512
a03b61a96a93cb3585657b50a73901930a9f8e732fdacd77e2d48ae7f3a520513248e1a17e20e31844ca2e3dd0296289e378b71bbdd6961bc5c8e278b0e985a3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a01d18f0183bda7f070fa50d4559760

SHA1
dd1366702a5fa60db396a41834b6978c210cc5d3

SHA256
78ed3e070323bac5c3d82a88e36c8101bd9646d257941a5e1b6ccf49505af81b

SHA512
e8fddc2e62b342e2b00b1803a7f04b4b9d4d9d15c5c99bb08dec58f2ef5e080844450536465d122160f6e76b607567c08c736362b41d42113bb24f8415f521d4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b638c027671913889ee26e4bf36105f5

SHA1
01fed220dd7ee811736181ca86575c14e551bdd9

SHA256
3202efd065df2223acd7348ea46972731125b8829d4445e91c41e7c06dfe2a5d

SHA512
174542ebe80aa9bd9c536fcf84f5e250f0182d0a9b0097bd31a247a9820f7e3c7333c1849de88da96f0f701619570f3c8629daf09f6fba70c83c7e04cae89d70

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83870948bf3170c124ea28d68a683002

SHA1
fe04823cbf55ad9c99bb31730ec0ba32117f11e8

SHA256
6b92437c361703885bbb5d0756ff7ef4489ebefe55661d086fc7fae82d935dd0

SHA512
7bb301d417394cbd574e6cc26e94983b56c84be5ee3c0f063e3cf158143c146ff997ad33c82af41bf01e1bb0e5ce616a5b33c8fb97571d8dffb7d127978fba43

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7738f6392ee6771630adc60580cb367d

SHA1
947f6bcc29a3f7f0bcbe4c4c9615af2315911ae9

SHA256
c36a2e0f11a44d5e9af8a22c8c73f48662a1c9b748b685fcf057bd31e27db05d

SHA512
abeefab25443ef197bda274b31be8c507b3a2c766965b5f16585e0c9ec64bce513b51595f7a1b27ae23eca7dcfe2c6ead25c923b34f5eae255344c263affbad4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8e2234b70311f7c739bade0f9ee0894

SHA1
f3909c376c750b43ce8ffca976c0f9aeaf124481

SHA256
6dac07070278be9c4726a955c4c635e653e1de4ce53befd58b9d28cbd6f92b9d

SHA512
106392893b8652b4d72ff82b9b5d28a3c5bf41606049de49256a8fc21dc1979723c175ebe05ccc9b30c2220e0f84959e72762dc782c3e87437f4c80432fc9979

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9cfe1ab51a419700fa3586e8b969bba

SHA1
e2cf1143419ee47f6be29467af06e95c07b4476e

SHA256
a51eb8be6b9273ecd9cf7957986f16d6d10ae6dbdcf097bb7d0c332cc5b51732

SHA512
5ad402955fd81f4ad706d48ef7e061514c446997305aa0a66ab15971f40a3f2f22b30b8ebadf912efd65d77c5776a14b5e220248080a2b083e40b8f6e75796cd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2885c63acf5a5f8431711aa97083a3a8

SHA1
e6bf64d2a4e4006e08c374045766987b80dbd1b7

SHA256
c59f4e5e9d559072a1719a148b5832354e5f5d6bc21b1c6d055ee83e4be690e7

SHA512
3a2814424c38c885d3fb5cc87b6b28cde14d6fba9896c98ec1eb19a7b12a3bd28ce616a83042e06f605dcf2d82ee391292417b25ebed161772530828bf62c038

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d1f7de523560cca471a2f3a231a72a3

SHA1
9f1bbb6476fe099f59ef172e92a3a57ce2b61328

SHA256
f31e62462974127467e299881f181c5932a723320b147143c1ce63358819f70a

SHA512
1d13c9ce07283c481b7d7c89b53101bf24dc3c614c768d5f37aa0603c8a34f290586d30dd5bd661b3c10dab8c9feee4d85553a4154f17e93487144275fbb4cb9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce1382639df634ffa6d17074a621deb9

SHA1
2eb1dd3a39f6ddca05b8f33639527fa658126b49

SHA256
4742ff322f88830b17bd376abde18fb54e9885339ab85068fe0dc77be1b4e492

SHA512
d8153ba4314df41da511c8a765d2838297827cabb4971149fa79966f198dd9993e7833192e1a57516a6a002e66722890b0fb46861f0d459889f8b635f200b68b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75a3d0883136031c17a31b1a1e7633eb

SHA1
d65ebc189d64954540625d0bd6d2935169ca5ac6

SHA256
c0e80ade90e4b71c603e3b9c202a011b8df0b60cd6018c028f49fe754c20a8ac

SHA512
ff7bfb40c118a4c89d4c6700903ff6df9bea4b95260618c1e0da4060b3c715d81ada6a2ad717aae63a6e78a22d32ec3bb74048091d1cff081f083ed3ae4db80e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb7765b8a50e8f5e8cf0ef807960e4e0

SHA1
a5e684d3e5f2bea93cd497713c6e3366f49f21c9

SHA256
a8f819768a509f7da669c25cfbd9270b18a66847c5e52efe1ae18eb0c52e0e3a

SHA512
8bc0f9f9e1d2e8f8c04b8334627bb85e21b44f98393bbbda4d3d0456de5952b2368aa6b3bd5614b699d6afc3b6bcef5661dea4716f8b900d9b070bf7a90b68fb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4387bf8515e13831efe107a68766ed60

SHA1
bf6f897fff2083d8064e6eced04251f51c70c16f

SHA256
1a34171cead0249a63354751f22b869ca4849ba8da828e40dc680f17dc0da4a4

SHA512
52df286ada6f42688e2197bb664fda1e9fbec2eda5c02177a49dc7a74249358957ca427de39a0bbf07896395cf4f4ae552d67c85776ffdcdfc82da3b0802c25e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd3d12b4b82a034e9d04bd1b9940ccb5

SHA1
54ad5d352ca87a2f5f9d4d1b416d43e7b02aaac4

SHA256
ecde51065caa2fa420307944dd9d971ff38c23bc5fa584724be1a57352cc570e

SHA512
052afb8ba64d0c45b517d11ef4b632384c3f4e7aca4c53c3a543f86a894bac4ab86807a35f43fcc3fd11bf4187a517d00a7dceed8600141b11e58fc6ffad6fa4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ede5c9c85dc9b6834d88ae2f7d7e905c

SHA1
2da7ed47d4d07070a02aef79e0b6a53c0889b2e1

SHA256
a53d4e85f529763667e1762d6e1d272a3c6ea3421470e04f5e42b82f2e034bbb

SHA512
326b0cc0c58fc6a273e784af7c93370b0d523377cd999a50d6a3cd9ea30cf3b3e6285824929d81778ed2d6fa34fbcbfaa5ae50104b46b073560a04d788feeb9a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80cade61ab77a38ab8028cd962a16ba9

SHA1
993c9cce9487c4da0611b82b03c0d9ea98c7c445

SHA256
a7f79a4a42ec7da2cb081de0838b9cf6c0fef7069afb84c207b88ed6c7aa8423

SHA512
d8f0dd7882cd050cedbc3b3a50a1d930feab5e092cb8340cd59677a42377990bb61d67752b1c5e732cfc73ee808018d555fd2aa5d393fd09b7954fc60c6c3e64

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db40bc68efaa4825354f123082e74fc9

SHA1
ad40d01507bb68c06dcafb90e00ac18685b640f9

SHA256
98808bcb0afc0a704e0a9c71d842b519155ca0672828ddfbf14e28d871901628

SHA512
9fb3650e4a3873156d5b36f58e97beae94ad8369905ba8f564a83a78a9ddfa759e2dab5f3d08e06cbaa6ead3c6d877f5c31494e17a8e56ecf355d8b8c0a15d58

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a823c7ae55c2b32307035cfc4f48abad

SHA1
d684bf53298b9229e3fcab8718e726560eb81b4b

SHA256
b4732c915aec65d4732734dfbab0404ef053c55673674a54c7eb10b5fcbb8b53

SHA512
503f30395a67ab0062160595985ea695214a7a6feff557af40c1e2b12f8fd57c6bbe04943ee7e7299b2041299254d86f94315b4f64a7084258819c601ea39e46

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac4450edf1eb129f2123cd4945c4bb8b

SHA1
88531011e718ef931df5216d14335b3c233ad58b

SHA256
a740213817c8e1ca03ac88bd788009230f18df220cd38e85f6b2f843eb8c288a

SHA512
6334fbe14ce8c649bab6324475cb5d428ce779d92651b1d9173514640bd2fc0f43414914944de3e1e74275b60f48a0d5ede3d259f120961750d7a7d9cb5b8030

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14540ae773cac203a827739bbccdc51d

SHA1
40f775396f4ba36a4e18f68bf1652dfa023b83d7

SHA256
d1bcc3c0a6b15f52566a5db6faf842fc249eb2e712886d599cea542a74df2261

SHA512
ef7e5889eaeb8ab61e2c46c2ff93eae4afd948d490b8646d2617af82ae93d84d7f7d601cac2a98508153419e4c35757d8c635162dccbe221105d20663337e5ad

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5133b3f870322850def790df2afe939

SHA1
bb38b23107283e755dfeddfba889b521676a85cf

SHA256
59f4fc433fa24dcc71c590305ecafe0e56be9ef25f7fa57c9a5aed943c57743d

SHA512
2aa391d376630db11e07c6420151eba336eb55b0f2aac1a2ba14480988bf82929bbeb9347c1ae7940972b6b352f48741929bf4ee44f928861adc1616f984f9ff

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2992731c04513cc2dfa5e88635684293

SHA1
4639805f89e764b03fbaacc5b707e621c4e8f522

SHA256
8b28518eff9166249bfeefbde2206a998e44cfcfbd886c64e976be48eca79040

SHA512
289906a477e54ceb176a0c103eec5e59662d013f1f61a794a50a04499de674befae91902ebc131a8094fc61d3c27807c3f5c04f2fa088cd05a80beb646a85219

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ee0538d6e3fb5786b414e8a6a22837b0

SHA1
766566c95a0ff81600b32db30f8e5381d5b1ee5d

SHA256
9c2c40f6a933f569d8a9cf7f2a66cb01720382def7cefa202bd4d513774e6818

SHA512
95bda4a87855566c5d936367c2130cd4905f4e1b550e0c07d0f3d47e8ce7ae3464848d227de0e720d53be27fb72fcdb585e584a8bd2d4635f9d5da0790c5a482

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
282B

MD5
dd74e2fe22d5594e137db16b476dba8a

SHA1
ea87306a8488f58b874ed91af4367a613b996da1

SHA256
14ce9784828edd441bdad1eb1933bc9140e134aa08cc25af0983008ed273b3c7

SHA512
22ddb320e5218f831a0056443c530cb14ae9838dbaf19f5a96067ccab63fb2cc8b6ce5b1e5197759721bd6bee2d2f9067236d44e377c14859da756f013139089

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab2C70.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar2C85.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar2E42.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\www2B16.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www2B17.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/380-21-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/380-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2128-5-0x0000000000060000-0x00000000000ED000-memory.dmp

Filesize
564KB

Download
memory/2292-851-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2292-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download