713fdf5caffe2138e076c1b25193cf8dea8c1ff74e72178598da0af5209fbd2e

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31404212cba318f2a7556105075f71b3_JaffaCakes118.exe
Size

640KB
MD5

31404212cba318f2a7556105075f71b3
SHA1

10bf447cb459eb24ef5a84530d5a9c19a5dcf3d6
SHA256

713fdf5caffe2138e076c1b25193cf8dea8c1ff74e72178598da0af5209fbd2e
SHA512

3190576f24576b847797b4d6ed0e2dfd7ee3774d6049bb87727557c24d8f717aea88947e4a4c114ee0fedcbf5e1fcb50de85742269b9735bce132339faa02971
SSDEEP

6144:d91sHI+Ri09LzS8Xghw67smirGaf6cNkJI/iU4Bm:dj0BzBCw6cf3RiU4

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2336	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1796	RpcS.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{928C28B1-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{928C28B1-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{928C28BD-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\RpcS.exe	31404212cba318f2a7556105075f71b3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RpcS.exe	RpcS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D4269F81-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D4269F82-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{928C28B3-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{E9066751-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BF4B4C52-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AA669AB2-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\RpcS.dll	RpcS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AA669AB1-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{98E45D90-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BF4B4C51-3E1F-11EF-8893-6AA0EDE5A32F}.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\RpcS.dll	RpcS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\RpcS.exe	31404212cba318f2a7556105075f71b3_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-ac-98-a0-c3-88\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 1200000000000000020000000000000003000000ffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffffa0000000a0000000c0030000f8020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{36E2D099-2459-44C7-8DC0-46FF4F4FCE7E}\2a-ac-98-a0-c3-88	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{36E2D099-2459-44C7-8DC0-46FF4F4FCE7E}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{36E2D099-2459-44C7-8DC0-46FF4F4FCE7E}\WpadNetworkName = "Network 3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807070002000900120012000700160102000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000000000001600000000000000040000000000000006000000ffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807070002000900120014001900e802	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070700020009001200120003009c0302000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "5"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "5"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807070002000900120012000b00b200	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000040000000000000006000000ffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "7"	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	RpcS.exe
Token: SeDebugPrivilege	1796	RpcS.exe
Token: SeDebugPrivilege	1796	RpcS.exe
Token: SeDebugPrivilege	1796	RpcS.exe
Token: SeDebugPrivilege	1796	RpcS.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
2808	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE
2480	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
2216	IEXPLORE.EXE
2216	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 2320	1796	RpcS.exe	31
PID 1796 wrote to memory of 2320	1796	RpcS.exe	31
PID 1796 wrote to memory of 2320	1796	RpcS.exe	31
PID 1796 wrote to memory of 2320	1796	RpcS.exe	31
PID 2320 wrote to memory of 1924	2320	IEXPLORE.EXE	33
PID 2320 wrote to memory of 1924	2320	IEXPLORE.EXE	33
PID 2320 wrote to memory of 1924	2320	IEXPLORE.EXE	33
PID 2320 wrote to memory of 1924	2320	IEXPLORE.EXE	33
PID 1924 wrote to memory of 2328	1924	IEXPLORE.EXE	34
PID 1924 wrote to memory of 2328	1924	IEXPLORE.EXE	34
PID 1924 wrote to memory of 2328	1924	IEXPLORE.EXE	34
PID 1344 wrote to memory of 2336	1344	31404212cba318f2a7556105075f71b3_JaffaCakes118.exe	32
PID 1344 wrote to memory of 2336	1344	31404212cba318f2a7556105075f71b3_JaffaCakes118.exe	32
PID 1344 wrote to memory of 2336	1344	31404212cba318f2a7556105075f71b3_JaffaCakes118.exe	32
PID 1344 wrote to memory of 2336	1344	31404212cba318f2a7556105075f71b3_JaffaCakes118.exe	32
PID 1924 wrote to memory of 2740	1924	IEXPLORE.EXE	36
PID 1924 wrote to memory of 2740	1924	IEXPLORE.EXE	36
PID 1924 wrote to memory of 2740	1924	IEXPLORE.EXE	36
PID 1924 wrote to memory of 2740	1924	IEXPLORE.EXE	36
PID 1796 wrote to memory of 2172	1796	RpcS.exe	37
PID 1796 wrote to memory of 2172	1796	RpcS.exe	37
PID 1796 wrote to memory of 2172	1796	RpcS.exe	37
PID 1796 wrote to memory of 2172	1796	RpcS.exe	37
PID 2172 wrote to memory of 2004	2172	IEXPLORE.EXE	38
PID 2172 wrote to memory of 2004	2172	IEXPLORE.EXE	38
PID 2172 wrote to memory of 2004	2172	IEXPLORE.EXE	38
PID 2172 wrote to memory of 2004	2172	IEXPLORE.EXE	38
PID 1924 wrote to memory of 2808	1924	IEXPLORE.EXE	39
PID 1924 wrote to memory of 2808	1924	IEXPLORE.EXE	39
PID 1924 wrote to memory of 2808	1924	IEXPLORE.EXE	39
PID 1924 wrote to memory of 2808	1924	IEXPLORE.EXE	39
PID 1796 wrote to memory of 1704	1796	RpcS.exe	41
PID 1796 wrote to memory of 1704	1796	RpcS.exe	41
PID 1796 wrote to memory of 1704	1796	RpcS.exe	41
PID 1796 wrote to memory of 1704	1796	RpcS.exe	41
PID 1704 wrote to memory of 2536	1704	IEXPLORE.EXE	42
PID 1704 wrote to memory of 2536	1704	IEXPLORE.EXE	42
PID 1704 wrote to memory of 2536	1704	IEXPLORE.EXE	42
PID 1704 wrote to memory of 2536	1704	IEXPLORE.EXE	42
PID 1924 wrote to memory of 2440	1924	IEXPLORE.EXE	43
PID 1924 wrote to memory of 2440	1924	IEXPLORE.EXE	43
PID 1924 wrote to memory of 2440	1924	IEXPLORE.EXE	43
PID 1924 wrote to memory of 2440	1924	IEXPLORE.EXE	43
PID 1796 wrote to memory of 1496	1796	RpcS.exe	44
PID 1796 wrote to memory of 1496	1796	RpcS.exe	44
PID 1796 wrote to memory of 1496	1796	RpcS.exe	44
PID 1796 wrote to memory of 1496	1796	RpcS.exe	44
PID 1496 wrote to memory of 2404	1496	IEXPLORE.EXE	45
PID 1496 wrote to memory of 2404	1496	IEXPLORE.EXE	45
PID 1496 wrote to memory of 2404	1496	IEXPLORE.EXE	45
PID 1496 wrote to memory of 2404	1496	IEXPLORE.EXE	45
PID 1924 wrote to memory of 2480	1924	IEXPLORE.EXE	46
PID 1924 wrote to memory of 2480	1924	IEXPLORE.EXE	46
PID 1924 wrote to memory of 2480	1924	IEXPLORE.EXE	46
PID 1924 wrote to memory of 2480	1924	IEXPLORE.EXE	46
PID 1796 wrote to memory of 2416	1796	RpcS.exe	47
PID 1796 wrote to memory of 2416	1796	RpcS.exe	47
PID 1796 wrote to memory of 2416	1796	RpcS.exe	47
PID 1796 wrote to memory of 2416	1796	RpcS.exe	47
PID 2416 wrote to memory of 1604	2416	IEXPLORE.EXE	48
PID 2416 wrote to memory of 1604	2416	IEXPLORE.EXE	48
PID 2416 wrote to memory of 1604	2416	IEXPLORE.EXE	48
PID 2416 wrote to memory of 1604	2416	IEXPLORE.EXE	48
PID 1796 wrote to memory of 2900	1796	RpcS.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\31404212cba318f2a7556105075f71b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\31404212cba318f2a7556105075f71b3_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\delmeexe.bat
  2⤵
  - Deletes itself
  PID:2336

C:\Windows\SysWOW64\RpcS.exe
C:\Windows\SysWOW64\RpcS.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2328
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2740
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275467 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2808
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275481 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2440
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:668690 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2480
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:209977 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2216
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2004
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2404
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1604
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  PID:2900
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delmeexe.bat

Filesize
231B

MD5
7f5fbef0220970c57bde73fb08f03d1c

SHA1
735ade8cf67647578fd5e68a98604835f4e77c0e

SHA256
32b6dfde551c85b44367283cef7c240bbde6c70720e871d098a255ad1260efd8

SHA512
b4fe324d03c64acaeb5ca5c0fb772f44c223a65d026de6cc4620210d5f36c0ea2cc028e38fcfc0ea7970e4a90dcf0995a3d81d4c4c1156db48f4e6d05f42d2fd

Download Submit
C:\Windows\SysWOW64\RpcS.exe

Filesize
640KB

MD5
31404212cba318f2a7556105075f71b3

SHA1
10bf447cb459eb24ef5a84530d5a9c19a5dcf3d6

SHA256
713fdf5caffe2138e076c1b25193cf8dea8c1ff74e72178598da0af5209fbd2e

SHA512
3190576f24576b847797b4d6ed0e2dfd7ee3774d6049bb87727557c24d8f717aea88947e4a4c114ee0fedcbf5e1fcb50de85742269b9735bce132339faa02971

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
7c4292c27ea951e0a4f479f4c5f46029

SHA1
629d391828f5ae4a8773779b141ed0e5cf0bf608

SHA256
e96ad5b291ed9fdc1de3379e12015cdf05a11bf0483b233f54b4ca442d9c918d

SHA512
c335771688b707e615896dccbc35d50a5f1abbd63c937c30fe544d201e4d752fe5ee8ba9908575f3fa7182a724241d916ec5e7e20f7cd64d843937afe5689109

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fbdfc36449cce0cf1101b35e739bde4f

SHA1
0cc36adfc0649ef0bff832c52ba7e644f4b3f991

SHA256
8c89c76db21d7397b8918fa5883a6bcb8aa49c223f34dbd9cf35276b26ad61b4

SHA512
c92715cf6f97157a2a2fe4c5e19b324def827e6a3161cabb7bc1823e899bd2568641574b83eec8d3ceefdab157e526c15df0a1caf0b267f34291bba67dff2df8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
702e6ebd127842b45654562947d96ce8

SHA1
eb0d8a3c4ded1f34b82355b7d31ccf191925f837

SHA256
4fefa2b04ee8215a237634b592e70033927442966f9d7959a59166c7551591bb

SHA512
7ef25779fd15eb54ed250d5b324e179491450de2db17ee16864faa5be6ccd12c8ff4347799239787a44251276737523de3488ff70cd21bf5114b541a3dd9b54e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d5576c44ca98b7bd94fa3f0abc9442e0

SHA1
0732bc90e6f58fce4b14e64332d6ff67c898c481

SHA256
e62c4e01b68f2f552cbfcdc9e3860d1721c0460467dfddf1a80e4d655a37eb79

SHA512
808f74523048f180d7a7f4846e855acab0e92598814e9ae5b4a9e186ba0ce6fb684e1d90e662e3131cd69ac2b956be2374c85358e5a06ab9c159edd707505744

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
47951d3b0dfea7e7ef4b65c324ecad9c

SHA1
550c1d48653af0171a6b1bd5cbd3c18c7a9f8d1e

SHA256
f15105d11232609a794bf30a20074eedaf95cc66ecb7fb5a9a5a7d160cdcec78

SHA512
76460265fa7901569820f342d122f3ac20544b5fb947646a76b9a8941d3bdc2cc974895be74ab648122316849ebb612dd0684632f8e0e382d504a7835692ce6a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a26ff86fe4a69fd789035932d6b2ff75

SHA1
aeea01b7ddaf898429f292ec12f58f4fb6e523ad

SHA256
a47e77e04e5e9e42ae5f19bcb68187da03f8d2b5d2022f8ce893ed981f2aa73c

SHA512
3ecf2476ea7feb04fcec7bb0a1947ff5eaa4e3d4f177f1a101bbbf00135032e21814bb35cb4409e08f13cedd8b4a764686d93155b347d2e49cdb9ec8bf99dc70

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8e22427f8e107cd775c6f86c2fcbae1f

SHA1
0f1c91f61293db46f1f9fc7e4f85d97c7e907f57

SHA256
9a0e1daf2a1339c105cbb0157a44f6640dd031d055eb7ffc06075e8ee8ed90b9

SHA512
7534d7a43751311eb4e7df7d6f2aa9882efb61cf115e117736c0b4eb492e300f856d9e9751ca8c8144b4d8b47b374f4cab9a39131449d765593770e1f495c757

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2674a5cd539bc25ca8f5c9da29cb49e6

SHA1
c471ce71cd6761d91991fd5cace1ffa9d91097d3

SHA256
ed45842290f5b35e972bfe06e87edabdbb850f8591171ada93f533023c8e0ce2

SHA512
438c590bab080959f205feaa239da976005ded3d825588344592d820473e826f779b30b4e1cbbcc94b6c6c21a8b948e8f90fce65edcf55127a513849764794c1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4ec6c08b5fd1a02bb915db947afd8e96

SHA1
07789935d85477b1f50cc2ab33bf1d984b7c9a9e

SHA256
5ea5abc8ad9b6de0fcadf2dec007d64f1d8b900221f6393b685332e86586ae49

SHA512
c180074a06ff695399a03ce7e394cbf4725b48d9642072b54b6d19a933bbf39a96e2c6c10791675ebca411c0f774f8ba160b64fdd8e77f6486fcd024e6d15992

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
6af533686ebb737155c8485591f27c34

SHA1
b96f949b41fd7f01616c678c5ce2ddd3a6c27748

SHA256
380280e03bce147133da96bec4a3a8a13630b5bf31c4579b0ffebe44392aca17

SHA512
14929bf4adc8ff3e92d8329decb7d6765107f0201beeaecf4e8ca83a4d8ad54999c1c503311c0e7b64bb4752abb4f5553bfd7c3f6ea8f0299d5d16c56a82df1f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
08016aef2b8ac1b1a02e72aa626f4dcd

SHA1
b08bf7571d8d32f3e3418272c74eefd07f625aa8

SHA256
8f33a05f0a965c2613335d6a21c8317eb6c44c3c4a871f1252953ce90477e0c8

SHA512
c2b081daa9b5d23e5a76864f1bc2267ee7dd7936278aa333ab12814b83b6d6e7f8daaf06a074448e15b2e00713bf1652ab73915b75e08a68e5eff62a3b845282

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2d12931a1cce00224a6d9fc971dbc23c

SHA1
cc5d7f474aa2253f96e00b002d957789d22da8ed

SHA256
c9c22d51b69626177591ca5a77530924ea52a124a004cad56e844d1b704cf360

SHA512
b1e18de6d4411a09dd44b7c5f6e434b708a9b16de89250f215be6bf4a26fa185e8163c0823e740ad021c40160704f1605c40e2b74386db855851fbefbaeec4b9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4e6862c9a97b9611ae45a4127dc45df7

SHA1
a0b0ebdf27f15799cc7f3f45f3bb243f411319f7

SHA256
2b73c69ae6de04675ac6a42c06894805c5fd2a82b49640a09728f4e139f916a2

SHA512
268e878581b2979898f965c56d3f41214c6f9c45b1e1f9ee415377504f1690ca3485290a324aa4ff2ceb967e2ac8a9efca5fce9fb120d49d71d5a5a9ca695ed8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b40987844031016c57e7973499e037b4

SHA1
58a9069c72e62eadeff790f341079f5e5ee2c770

SHA256
40a3c35a0db0e2263d2005c1a9c0d43a020d159dfd61f02182e851416bb4379c

SHA512
0fceb9cc3afef2bd24f5ba491d80a03d7c0e7a8909dc3d74a1812e987bcca477edec58d11e0835f0c4a72a020ea36a73c5a299bb9baf243cf76ca3790c5ad15b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
8851376d7ae1e1d233b5c1ce9397fac4

SHA1
6cfce98e4b56b9ffe64880882201376cf7a767b8

SHA256
99fe919dbf983e101290b50761f72439fd0548db3f6d4481b27dd0990d339466

SHA512
6ee70e7a45b3f4f16df2f8db3fa97adb3962c2e21868baf79903e433c573e65314277c2a286ea2bee3a49a7bbe0aa3bdb032992821b08758b7e2fde7f65a4326

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
d09a6f39cab35b0eb37b49857dbb6683

SHA1
1954af0204fac7fd06b7bc515b79b552d5a3bac6

SHA256
02912667551704761d89e3f6000f6349d359146e247f3fbc684b7c1c32296ac5

SHA512
59070680e015560795b8c37213b5723b9b5a1bdbd98cd2ba78f7cc9af246b30018d42f6fdfe1f145c17cc421cc3c54872ed7deb6898d2bb6899ded1fb9bee829

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e0d11d8ffdbb6a01f27f4dac67b925dd

SHA1
dde25c34b192757c355d888f55892a86d0bd45cc

SHA256
cbc766873d7f3e3f15b005cebedcc39cc5bad7d3f39484c10e99c1394867444c

SHA512
04896cee369b0fbe9721a7b623765d15569d6620a372b600f9362aa5de2a886ea912978b43aebcb1c1c73d3a86df4b7c704395f3565b2100e22c98cc64912a90

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7f9672c1577d7f13a2fb08c6b73ee2aa

SHA1
2e70f5da548dc9a4671dd5826755293bb371be19

SHA256
c2d4ab320c746b2c3f85b20ddc575249a7e1e94af38c67494b977602beeaa3ce

SHA512
ccf669453e173f5e3adfea62cbf8f65f6ab9c28f56aa376a09940baafe69ddaf54c3b3e7ede418030fd5064887a739c1586d46d611596046818736058aa82f75

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5f75f9c4f14a1fcf0bfe7bc1ab390c5a

SHA1
3a54d93153d13c7e00402cc4ae48d0ed7e7fffd4

SHA256
62510344fffe8b8ea65fd568237d9d0dc89901ae5e36d786e23751124d5d7f2a

SHA512
ea9fb75b436dc212b008b716fc52d6387ccc972a134f64d94da7e7fb7dd15b56cac80a2e4b7ffd56dedbb41c46ba586ce227a5f3563adc19bb0913ce6598d428

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5b8a7d9584a1b83c7608671b2d62d496

SHA1
30bb291a10d32af7a1b518cb31be8ed6e4c68a7d

SHA256
a3289f7f417164665c9ac300312210c6c42527d10ea2e219c46aa973711c3522

SHA512
237ce16cc3cd886b607320971bc3d0590d8af522f9dcaf02577253a75c003edf35fe968d44d492a92179449bff49009cb916d5a1939f28f2425d68873328de01

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
5442e39641579ffcf830276c1c561f09

SHA1
09fe9bdd8c02d4712154d66414be0acbf1ac3968

SHA256
421518eadad0e881aebd5677859253d6f5b7bc190e0a2744c8b19cee8bd165ef

SHA512
06a784d59450c8d43914041ccf1ea5600f53899616859c7132da251fb54d392456de85f37ba0de2c0000063490b6a356ef8df3250223623d8450a47b2488aecd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabB927.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\CabB9D6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\TarB959.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarBA77.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwAE2A.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwAE2B.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/1344-0-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1344-15-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1796-708-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/1796-11-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download