c2d8535691ec630f8bb1a42193e2b7f59974461113901fd6ed0b2de1eeb93126

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33b14c618e9c6a2e8ec5fecf8a257cf4_JaffaCakes118.exe
Size

206KB
MD5

33b14c618e9c6a2e8ec5fecf8a257cf4
SHA1

4152ccf0ff937f848dc385b23c62cc99aabf22be
SHA256

c2d8535691ec630f8bb1a42193e2b7f59974461113901fd6ed0b2de1eeb93126
SHA512

c703fbf6ca4b3613008e92fddda5c8c062b137e24ce4a7f91eb6b138d224ebf08474eeb4eafe832ee55a7fdcdf242f9b0cafdd002036ef036e3cc9a97c39734b
SSDEEP

3072:bw6Ndw8o9kXrVfp8JXrIU7IAK68sidnQ7G/IA03gwqwkwyUe//26pr0717fsL8O7:8gmSlp+PcKG/83Uwyp26pwJEL4R

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	Rpcs.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Rpcs.exe	33b14c618e9c6a2e8ec5fecf8a257cf4_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Rpcs.exe	Rpcs.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{816D0F51-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{87D9E570-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{99493EA1-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D7E6A9E1-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{816D0F51-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{816D0F5D-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AE290671-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C308F552-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Rpcs.dll	Rpcs.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{99493EA2-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Rpcs.dll	Rpcs.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{816D0F53-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C308F551-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AE290672-3E87-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Rpcs.exe	33b14c618e9c6a2e8ec5fecf8a257cf4_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BA60822C-E19F-47B4-9712-7F33DCF809AB}\e6-13-a0-b4-39-bb	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070003000a0006002a0004009702	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 70a5f94394d2da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "5"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070003000a0006002b0031004d02	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "4"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 0000000002000000000000000200000000000000110000000000000002000000ffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 110000000000000002000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 02000000000000000200000000000000110000000000000002000000ffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-13-a0-b4-39-bb	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807070003000a0006002a0027005f02	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070003000a0006002b003700ae00	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 05000000000000001c0000000000000007000000ffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "7"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 0400000000000000000000000000000005000000000000001c0000000000000007000000ffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000003073114494d2da01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070003000a0006002a0027007f02	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 0000000005000000000000001c0000000000000007000000ffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807070003000a0006002c0018006302	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 07000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "6"	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	Rpcs.exe
Token: SeDebugPrivilege	2740	Rpcs.exe
Token: SeDebugPrivilege	2740	Rpcs.exe
Token: SeDebugPrivilege	2740	Rpcs.exe
Token: SeDebugPrivilege	2740	Rpcs.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2108	IEXPLORE.EXE
2108	IEXPLORE.EXE
2108	IEXPLORE.EXE
2108	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE
1696	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
2820	IEXPLORE.EXE
2820	IEXPLORE.EXE
2148	IEXPLORE.EXE
2148	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2664	2740	Rpcs.exe	31
PID 2740 wrote to memory of 2664	2740	Rpcs.exe	31
PID 2740 wrote to memory of 2664	2740	Rpcs.exe	31
PID 2740 wrote to memory of 2664	2740	Rpcs.exe	31
PID 2276 wrote to memory of 2808	2276	33b14c618e9c6a2e8ec5fecf8a257cf4_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2808	2276	33b14c618e9c6a2e8ec5fecf8a257cf4_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2808	2276	33b14c618e9c6a2e8ec5fecf8a257cf4_JaffaCakes118.exe	32
PID 2276 wrote to memory of 2808	2276	33b14c618e9c6a2e8ec5fecf8a257cf4_JaffaCakes118.exe	32
PID 2664 wrote to memory of 2820	2664	IEXPLORE.EXE	33
PID 2664 wrote to memory of 2820	2664	IEXPLORE.EXE	33
PID 2664 wrote to memory of 2820	2664	IEXPLORE.EXE	33
PID 2664 wrote to memory of 2820	2664	IEXPLORE.EXE	33
PID 2820 wrote to memory of 2812	2820	IEXPLORE.EXE	35
PID 2820 wrote to memory of 2812	2820	IEXPLORE.EXE	35
PID 2820 wrote to memory of 2812	2820	IEXPLORE.EXE	35
PID 2820 wrote to memory of 3020	2820	IEXPLORE.EXE	36
PID 2820 wrote to memory of 3020	2820	IEXPLORE.EXE	36
PID 2820 wrote to memory of 3020	2820	IEXPLORE.EXE	36
PID 2820 wrote to memory of 3020	2820	IEXPLORE.EXE	36
PID 2740 wrote to memory of 1280	2740	Rpcs.exe	37
PID 2740 wrote to memory of 1280	2740	Rpcs.exe	37
PID 2740 wrote to memory of 1280	2740	Rpcs.exe	37
PID 2740 wrote to memory of 1280	2740	Rpcs.exe	37
PID 1280 wrote to memory of 2100	1280	IEXPLORE.EXE	38
PID 1280 wrote to memory of 2100	1280	IEXPLORE.EXE	38
PID 1280 wrote to memory of 2100	1280	IEXPLORE.EXE	38
PID 1280 wrote to memory of 2100	1280	IEXPLORE.EXE	38
PID 2820 wrote to memory of 2108	2820	IEXPLORE.EXE	39
PID 2820 wrote to memory of 2108	2820	IEXPLORE.EXE	39
PID 2820 wrote to memory of 2108	2820	IEXPLORE.EXE	39
PID 2820 wrote to memory of 2108	2820	IEXPLORE.EXE	39
PID 2740 wrote to memory of 1808	2740	Rpcs.exe	40
PID 2740 wrote to memory of 1808	2740	Rpcs.exe	40
PID 2740 wrote to memory of 1808	2740	Rpcs.exe	40
PID 2740 wrote to memory of 1808	2740	Rpcs.exe	40
PID 1808 wrote to memory of 1304	1808	IEXPLORE.EXE	41
PID 1808 wrote to memory of 1304	1808	IEXPLORE.EXE	41
PID 1808 wrote to memory of 1304	1808	IEXPLORE.EXE	41
PID 1808 wrote to memory of 1304	1808	IEXPLORE.EXE	41
PID 2820 wrote to memory of 1696	2820	IEXPLORE.EXE	42
PID 2820 wrote to memory of 1696	2820	IEXPLORE.EXE	42
PID 2820 wrote to memory of 1696	2820	IEXPLORE.EXE	42
PID 2820 wrote to memory of 1696	2820	IEXPLORE.EXE	42
PID 2740 wrote to memory of 2204	2740	Rpcs.exe	43
PID 2740 wrote to memory of 2204	2740	Rpcs.exe	43
PID 2740 wrote to memory of 2204	2740	Rpcs.exe	43
PID 2740 wrote to memory of 2204	2740	Rpcs.exe	43
PID 2204 wrote to memory of 2456	2204	IEXPLORE.EXE	44
PID 2204 wrote to memory of 2456	2204	IEXPLORE.EXE	44
PID 2204 wrote to memory of 2456	2204	IEXPLORE.EXE	44
PID 2204 wrote to memory of 2456	2204	IEXPLORE.EXE	44
PID 2820 wrote to memory of 1944	2820	IEXPLORE.EXE	45
PID 2820 wrote to memory of 1944	2820	IEXPLORE.EXE	45
PID 2820 wrote to memory of 1944	2820	IEXPLORE.EXE	45
PID 2820 wrote to memory of 1944	2820	IEXPLORE.EXE	45
PID 2740 wrote to memory of 788	2740	Rpcs.exe	46
PID 2740 wrote to memory of 788	2740	Rpcs.exe	46
PID 2740 wrote to memory of 788	2740	Rpcs.exe	46
PID 2740 wrote to memory of 788	2740	Rpcs.exe	46
PID 788 wrote to memory of 2124	788	IEXPLORE.EXE	47
PID 788 wrote to memory of 2124	788	IEXPLORE.EXE	47
PID 788 wrote to memory of 2124	788	IEXPLORE.EXE	47
PID 788 wrote to memory of 2124	788	IEXPLORE.EXE	47
PID 2740 wrote to memory of 2884	2740	Rpcs.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\33b14c618e9c6a2e8ec5fecf8a257cf4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33b14c618e9c6a2e8ec5fecf8a257cf4_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\delmeexe.bat
  2⤵
  - Deletes itself
  PID:2808

C:\Windows\SysWOW64\Rpcs.exe
C:\Windows\SysWOW64\Rpcs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2812
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:3020
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275467 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2108
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:734220 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1696
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:668694 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1944
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:668727 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2148
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2100
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1304
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2456
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:788
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2124
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  PID:2884
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delmeexe.bat

Filesize
231B

MD5
1fbac483a473c9c4ad6cbe9a757c5f55

SHA1
cc6863ad2a5ca11a6e2c9dee567f1b97fb649690

SHA256
34bc865123c3ebf2dfad01fbe16963317e4c6d44fbaa8e663b21cd3fe2228358

SHA512
735d678679e1b14b76b990618b08fc50c4ad047a42d9b88c74938b3797d58912d2e0f4735302b8359e1c60381b68ae5f65038bf04d239db184c493aa5a367543

Download Submit
C:\Windows\SysWOW64\Rpcs.exe

Filesize
206KB

MD5
33b14c618e9c6a2e8ec5fecf8a257cf4

SHA1
4152ccf0ff937f848dc385b23c62cc99aabf22be

SHA256
c2d8535691ec630f8bb1a42193e2b7f59974461113901fd6ed0b2de1eeb93126

SHA512
c703fbf6ca4b3613008e92fddda5c8c062b137e24ce4a7f91eb6b138d224ebf08474eeb4eafe832ee55a7fdcdf242f9b0cafdd002036ef036e3cc9a97c39734b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
0881d7c21d167a6a40eaa7ffc6878903

SHA1
8d623eb8aa0836f40474e7b6dc55419b641f1936

SHA256
300db82e4b8f9a6c586afb6f4afa11d9aaa0a114289333305a255c054a613dbd

SHA512
8144d85a32d276840a7f4aab2a801c9420c10536febf9996130422ccd9c0c701229af244dface2a5da77b2e500408ae740fe5d5e070147d82be4abd3c3c817ef

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e88bfd162f50907bf1cc7d2113c85ff4

SHA1
3e234341e4a3166c09cbf8465fb7732bcd9aae7e

SHA256
71897a80e1d86a4a0a9027b470e1799825982c8b8d83345f1d003d72e5d35faf

SHA512
dc23703c43d1af3809b0bc7df817dd6c5153d33c054918a8078363a4c64ce359374459a0ec60b3d39ca365cae08cade36028708536bf21c76002150c91491e2b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18ab8adf0445a16de6f8063a97557d7e

SHA1
4f6ffdda46628b1a47b2c0764e90660a9e082973

SHA256
964e0cba17106f124e065c9bf7c2726ace552a9caf12a8dcb10fa1de69122eb5

SHA512
75ebf19c32b7fb84a2b8770a9d538dbf07eab24469d83c0d40e7c0a35c1cfb9b20ffc9fc9648754235af2b154880e13a5f44e99d8ac1f195e20207d993d8f2b6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d8e51059ac14937aa0c5a811a826eb8

SHA1
e2f3a008c0bcb963eed874c9a9ec8a0cc8a623c3

SHA256
37dd8be443722a3399db90091edaaf21474f2f62c4aaaadf0ab9ea6dff478f2a

SHA512
0131be41ac0a77a38812e197f40447d1c139e9724cabdd28d20792b3b52ab25fca605726520d0bf3c2cb7a957d4b4eb6ff2c21c0de64997865f9ced133bd3b64

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4885b37e2dbac8d6ac29e147da0f2c23

SHA1
335756ac9a7f686912c0b7d4f03a9ca4655fd5be

SHA256
e21bb6c01c5965e5937a41f4113a96d11a70d700cbbc83535abd5f74ad6a2c11

SHA512
bb8d697fd59f036d15a56caf31a0dcfa9be5acc537fb85b9bfc7895cdae9ca250f865b027be96c1a5ffa19d29dd727cddf98af2e9d84b5c5c5d1592f92b20e52

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
590dedcfffc1a074d8df57be044b43c4

SHA1
9131ef406f3dcbe731846ca2f6b30b18c5f4b585

SHA256
16176b0b71ebc122bd160a1e5831d377f21236d2e1bb0363ffd05653ecc94ac0

SHA512
369aac1ee1afe48b369f3f11819355908439ee7f9c54321160066c08320200783720602c728f09c5ab722d41695d438ede6be4e37881978fc7da154624d8fcc9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d7fd6577c9c1241b63bf2874728795a

SHA1
6dfb53a0c5dc72fc57da531759d0b154e6538822

SHA256
7fe407a7673f69f5e84e68ddfab2ec604cecb20b9df21af097fab2993d834980

SHA512
9fdc15cafcdc8158551558f37f8d70bc32c3ce7ad79362c1da19f0cd839c8b8afac6a32bb577a6d9d65b0d5b4d4ba47c92f61502022b1424eb9cfb8d16aea2f6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19ab94d0ad48c479496aacdec614104f

SHA1
d687c0042603d9fe7b8ec7b53e4be08e1f276162

SHA256
42db66578c1bd260f72be0895360f5e32f25e1fd421229b63716f722be2c6f09

SHA512
763d2d14f7f41d241c6b9430b8dbfd1d6250d12c3cc70307d051f44259a8708acb67eb3037817466ccbbc113b1d0c5bcb3b9b5228d322f48dfaa6dfa1f99a65c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f01ceddfdf45dbc666b8d3abd71d3d35

SHA1
8c49ac6cf246820a311741d050f73487027a0941

SHA256
745e65562c53b0516cf54e6a62a7ecc93d99845ecfd46a44405fbb1c8260ce5b

SHA512
612b7742b39b7318c7406ee4756d37919ff16bc67eac0e748fcd260d104d78de005d074e744b16cfde38ce5cfef8a07f34acef81996b912d1d0ebc205efdb849

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
366e710227290b7ad1b8a2f0282b88c5

SHA1
2c0970894a42c3aca1ec54c806c473b7470bcc2a

SHA256
27f643e9da6b4140500b31881573e2fe0e2cfeea81145973c08ef4427104465c

SHA512
a2a5a4b54824702de094252624343a870b6cff4c016d2935b2818fcd67ba575124cdfda83957b766c36bda2f7b3fdfec6c78c20eee8e7bb08f275304ad310831

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0193f7bad542c04789d2dfa9e2040b7

SHA1
f36eab9cb2e132128e9404a5410252c8aea8cc3f

SHA256
187b5243a0666547126d6acc6228606b78be50253d3dcea7dc0ee71807e6a9fe

SHA512
9f2489668ce29aa0e5cf4dda48a317d520a45ca548ecae633fb9a4b96b26f7182f0efd7aa740b29bed26c076ac8b2fc03c791e804f044deca79f82841565fd0a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84f05b96cda61bf12a7bf1555b48c151

SHA1
0fcd0204b8fc08b467f9e9bf23bd0f65309dc438

SHA256
8af37ade0aaf55d868a15b0e96fcd6f78e632ae70631e2bda075a609f85ec70c

SHA512
8e72e62e845d5b0a175bc0aa596a69f2245480c6e92a210d6bd3dcbc35ec159e087c4870818f6c63e2d15b75905901a31b3e5eff9835db760d025d3deabf90ca

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85d00cb58c962c9f1930c4c9bd5d6442

SHA1
043ec61619b22905bbdaf0ae2e38c77678fc881d

SHA256
699d0ef5444346601c682d4421e54ec1d6298f81e955f6aab978d889b342ddaa

SHA512
a104a4842862720f6d09a19dce0429efa24d236c9969f1353111dab72e8b3f38f74c0a2632ecbcddd1390ec3f3d81ea087df6e07b950b26c108213ddb6425c6d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa89ed669eaeeaff2bd42155a49a5a5b

SHA1
3961a82b568f09df1f540eb83ecd5b412a55e46c

SHA256
711b9020ab62d9d9e74f3392b801132a9d8a1d1c3fd232bb33e09f8d995de11b

SHA512
63d732ca3f47112bd74f1c84e1b0f6d85920d03b6916d8d213ea49655e7876f505b899157f8d8d1aeeacbcbc78c5cbe0fc97ee050a8f954664b1247f611653dd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a0797a8190e7d8612c1058d01d506d3

SHA1
7eaaccd1c3530bd733772c24a76d3bffeed0bf0a

SHA256
da85a85b95e00da16c065c8d2675c4247d28f87fda7e862366e2580dc46bbd55

SHA512
2c16c48629f6364ad0304414a5c7856caa694d482c2dce8652cee6e23e6ec7f2075b5e44f321014e3b8bf6c9fd31eab9d681996017c943a34445eed6c6854bdf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2a19deba3c6387e4491de66b0278440

SHA1
6205bb36c47aa77fd8ed20d1d857bd9486201474

SHA256
1cfb9b27105991e159b22cce2536f680d5f3cacb6198622987b23cce199275e7

SHA512
28435658ea632e06b34a7794f53b8f7b62a7047c3694b6fb09a1fcd5c67c9bddc144fa68de6551b4e6b239c039d6021b9471dfc6b4d9ac557f6f3c66a7acad55

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e558fa619a0b401f1bba4a544535c33c

SHA1
5a9cbd5dd41f93b6df07455bfb8901cea9e638c6

SHA256
5c0235e2e74d98dded9ad208d6bdc26256dd9b9c2f0d9f865abf632060ffb633

SHA512
9f199aa0759f795b2b3d765e64986e1d9b5e2539226d99b543cc71bf84e2338be7b199658353874496576e3812f4f10fd57de0915e8098d146eabb863832cfad

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd5973b7fd1cc18220e8cd29522df8e8

SHA1
2f208c6279405dcfd7c1e1b04edddb923434a722

SHA256
49df9708fea01a804de1f653d94ffdd9bba969a494060c63464c6f8e071175b4

SHA512
a61baef8c3072d370df87a084d1799288e3f09f4c4f9df97db493107d9db905f11b2446dfcc09fd30bc4dc7ba9630f8b780ed0854a54aa5bf43938a487570af3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93c34bfa8e0c455b1a9a017a74204405

SHA1
0c14e4d0a70da83b5fe537f49c151941370f6f69

SHA256
12ac2ca1e48f7f408ab7144ec577f991babbe408b7736178c37317619ff57a66

SHA512
64d490c67dc60f5a3c97d86d09fc919caf626b695fc4150a7656557c15490e2962e746961095e9adc7493d3865b8a97013ae8a57de4adedf424ae9075f51ac3b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
547ca409b4ebf9138c7b5f6b0cefb3ec

SHA1
9da8115098f523b3d72a53867daff21871165916

SHA256
3f0ca505269a7b49e0a3e97de989c558894446d828f03f4e87cd9c129f6fe763

SHA512
568b33669d6108d5a29b63b650cff53a5666f1283b5c0390241f0b272b7aa18bf163f4921c36d83da698c33dea717f35a39f51529c45ac8a423941bc6fe8a7be

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1e198d8d6d6500da56d74f1bc3a56f54

SHA1
856ab29ba1f07ca2ac742097f8c2b7ba9faad81b

SHA256
77b1075ff632c71f5aa1d3583b69b256d6c9aee0dfc227e031d20f7ab6d182fe

SHA512
9b1d92d1faa3998e0d0ea95db754a2a531d98aa5175cbbf0a771c10d213e3108cee45300d01dcf074ce325f92ff0fa3731e612c4e88f9eec264887b3b7ceec22

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab5FF.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Cab70C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\Tar602.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar7DC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwF691.tmp

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
memory/2276-13-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2740-702-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2740-710-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2740-707-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2740-1309-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2740-1316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2740-1319-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download