d338721fe6739bc7126ad2fd31b00a8aacbd5135994fd5fe577008c0a2e03772

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36272ac9dc8abcbab88746662820aa3b_JaffaCakes118.exe
Size

432KB
MD5

36272ac9dc8abcbab88746662820aa3b
SHA1

832db222c62de4ff3bfccbae3ab10490745c017c
SHA256

d338721fe6739bc7126ad2fd31b00a8aacbd5135994fd5fe577008c0a2e03772
SHA512

16fd28ab5a776f82fb5d3b69962d3bedb03c58b446bea4f812bf30531261b223f12c99cb17aecce1c020bcafbcb9aa02e68cdf6771059ef4a3b65d3569ad9cf7
SSDEEP

12288:cezrxVYtRiITF3Z4mxxxzurGHx1gWLX+O:VlVYtRzTQmXxKE1gWLX+O

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2420	RpcS.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5F1DD410-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\RpcS.exe	36272ac9dc8abcbab88746662820aa3b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RpcS.exe	RpcS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{707799D1-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AF176671-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9A377791-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{85552752-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9A377792-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5888869D-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{58888691-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\RpcS.dll	RpcS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{58888693-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{58888691-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{707799D2-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\RpcS.exe	36272ac9dc8abcbab88746662820aa3b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RpcS.dll	RpcS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{85552751-3EF6-11EF-A74E-76B5B9884319}.dat	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "6"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 01000000030000000600000000000000170000000000000003000000ffffffffffffffffffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-fd-53-ca-e5-b2\WpadDecisionTime = 10de781d03d3da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070003000a00130039000f009001	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\WpadNetworkName = "Network 3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807070003000a001300380005007401	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "10"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A73345C-0EE5-42AB-AC74-24145B799F6A}\WpadDecisionReason = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426803193"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807070003000a00130038002e006700	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807070003000a001300370019004903	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 30fab61b03d3da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "5"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 03000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "5"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	RpcS.exe
Token: SeDebugPrivilege	2420	RpcS.exe
Token: SeDebugPrivilege	2420	RpcS.exe
Token: SeDebugPrivilege	2420	RpcS.exe
Token: SeDebugPrivilege	2420	RpcS.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2012	IEXPLORE.EXE
2012	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2700	2420	RpcS.exe	30
PID 2420 wrote to memory of 2700	2420	RpcS.exe	30
PID 2420 wrote to memory of 2700	2420	RpcS.exe	30
PID 2420 wrote to memory of 2700	2420	RpcS.exe	30
PID 2432 wrote to memory of 2640	2432	36272ac9dc8abcbab88746662820aa3b_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2640	2432	36272ac9dc8abcbab88746662820aa3b_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2640	2432	36272ac9dc8abcbab88746662820aa3b_JaffaCakes118.exe	31
PID 2432 wrote to memory of 2640	2432	36272ac9dc8abcbab88746662820aa3b_JaffaCakes118.exe	31
PID 2700 wrote to memory of 2664	2700	IEXPLORE.EXE	32
PID 2700 wrote to memory of 2664	2700	IEXPLORE.EXE	32
PID 2700 wrote to memory of 2664	2700	IEXPLORE.EXE	32
PID 2700 wrote to memory of 2664	2700	IEXPLORE.EXE	32
PID 2664 wrote to memory of 2716	2664	IEXPLORE.EXE	33
PID 2664 wrote to memory of 2716	2664	IEXPLORE.EXE	33
PID 2664 wrote to memory of 2716	2664	IEXPLORE.EXE	33
PID 2664 wrote to memory of 2116	2664	IEXPLORE.EXE	35
PID 2664 wrote to memory of 2116	2664	IEXPLORE.EXE	35
PID 2664 wrote to memory of 2116	2664	IEXPLORE.EXE	35
PID 2664 wrote to memory of 2116	2664	IEXPLORE.EXE	35
PID 2420 wrote to memory of 560	2420	RpcS.exe	36
PID 2420 wrote to memory of 560	2420	RpcS.exe	36
PID 2420 wrote to memory of 560	2420	RpcS.exe	36
PID 2420 wrote to memory of 560	2420	RpcS.exe	36
PID 560 wrote to memory of 1528	560	IEXPLORE.EXE	37
PID 560 wrote to memory of 1528	560	IEXPLORE.EXE	37
PID 560 wrote to memory of 1528	560	IEXPLORE.EXE	37
PID 560 wrote to memory of 1528	560	IEXPLORE.EXE	37
PID 2664 wrote to memory of 2184	2664	IEXPLORE.EXE	38
PID 2664 wrote to memory of 2184	2664	IEXPLORE.EXE	38
PID 2664 wrote to memory of 2184	2664	IEXPLORE.EXE	38
PID 2664 wrote to memory of 2184	2664	IEXPLORE.EXE	38
PID 2420 wrote to memory of 1384	2420	RpcS.exe	39
PID 2420 wrote to memory of 1384	2420	RpcS.exe	39
PID 2420 wrote to memory of 1384	2420	RpcS.exe	39
PID 2420 wrote to memory of 1384	2420	RpcS.exe	39
PID 1384 wrote to memory of 1556	1384	IEXPLORE.EXE	40
PID 1384 wrote to memory of 1556	1384	IEXPLORE.EXE	40
PID 1384 wrote to memory of 1556	1384	IEXPLORE.EXE	40
PID 1384 wrote to memory of 1556	1384	IEXPLORE.EXE	40
PID 2664 wrote to memory of 1108	2664	IEXPLORE.EXE	41
PID 2664 wrote to memory of 1108	2664	IEXPLORE.EXE	41
PID 2664 wrote to memory of 1108	2664	IEXPLORE.EXE	41
PID 2664 wrote to memory of 1108	2664	IEXPLORE.EXE	41
PID 2420 wrote to memory of 2356	2420	RpcS.exe	42
PID 2420 wrote to memory of 2356	2420	RpcS.exe	42
PID 2420 wrote to memory of 2356	2420	RpcS.exe	42
PID 2420 wrote to memory of 2356	2420	RpcS.exe	42
PID 2356 wrote to memory of 2576	2356	IEXPLORE.EXE	43
PID 2356 wrote to memory of 2576	2356	IEXPLORE.EXE	43
PID 2356 wrote to memory of 2576	2356	IEXPLORE.EXE	43
PID 2356 wrote to memory of 2576	2356	IEXPLORE.EXE	43
PID 2664 wrote to memory of 2300	2664	IEXPLORE.EXE	44
PID 2664 wrote to memory of 2300	2664	IEXPLORE.EXE	44
PID 2664 wrote to memory of 2300	2664	IEXPLORE.EXE	44
PID 2664 wrote to memory of 2300	2664	IEXPLORE.EXE	44
PID 2420 wrote to memory of 2824	2420	RpcS.exe	45
PID 2420 wrote to memory of 2824	2420	RpcS.exe	45
PID 2420 wrote to memory of 2824	2420	RpcS.exe	45
PID 2420 wrote to memory of 2824	2420	RpcS.exe	45
PID 2824 wrote to memory of 2940	2824	IEXPLORE.EXE	46
PID 2824 wrote to memory of 2940	2824	IEXPLORE.EXE	46
PID 2824 wrote to memory of 2940	2824	IEXPLORE.EXE	46
PID 2824 wrote to memory of 2940	2824	IEXPLORE.EXE	46
PID 2420 wrote to memory of 2348	2420	RpcS.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\36272ac9dc8abcbab88746662820aa3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36272ac9dc8abcbab88746662820aa3b_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\delmeexe.bat
  2⤵
  - Deletes itself
  PID:2640

C:\Windows\SysWOW64\RpcS.exe
C:\Windows\SysWOW64\RpcS.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2716
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2116
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275467 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2184
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:603148 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1108
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:668689 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2300
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:930843 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2012
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1528
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1556
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2940
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  PID:2348
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delmeexe.bat

Filesize
231B

MD5
9f8809b7a293c120db64850a8060fb53

SHA1
8382387fd2e8f9ba99bbebd884ed9d03d6acac93

SHA256
5031d8c89001378428d7fc67e32c0bc624bc702ce6a35c8cfab85c5086d39575

SHA512
f827b7dcb7f3c426b1dd35851bef474c5c3582a6e3de216f90cf0015a033f478826e64675239d4e65f7e9ef7deabc8c99e8a425c93bd21548629c9ebe9b2b66e

Download Submit
C:\Windows\SysWOW64\RpcS.exe

Filesize
432KB

MD5
36272ac9dc8abcbab88746662820aa3b

SHA1
832db222c62de4ff3bfccbae3ab10490745c017c

SHA256
d338721fe6739bc7126ad2fd31b00a8aacbd5135994fd5fe577008c0a2e03772

SHA512
16fd28ab5a776f82fb5d3b69962d3bedb03c58b446bea4f812bf30531261b223f12c99cb17aecce1c020bcafbcb9aa02e68cdf6771059ef4a3b65d3569ad9cf7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
8c7d33beda492357e531ed1454b6cb37

SHA1
55ed75275c0bd491e5c382fcda3a4ff95a37ca7b

SHA256
2f03833bdf7ec9520d478e45197296be7c515151e6a778ed0b82c61ff570322e

SHA512
55cecbda86e9e23ea7b0b829c8584068b91e4ac7a9a671265bceb6c66fe9e19e8e28f04a589065d1f8cbba665b84bf06bf4f887f016bee9812e82cc82f088092

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2933df25bf7cb0e234c3d8e1df8153c

SHA1
9ea4b3a8a0a9bac39b1bc88eefd0545837630f79

SHA256
f0f8e6f8e1f4d37b69f109679d9020a0d590a45cb16c44ad6745436b6d591e8e

SHA512
2e393eb00dda34df06b338f9cb4eeb345c8d6682558560d1f668f5ea8652d1854275e0a6ed722e27b061194994ff2138e16d6383880da3780f6bb534eea8200b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
060e6c4faf428808759b86269c85fbf7

SHA1
21448ecb4f37e00cf552c4abf3bb1b64be99b7d7

SHA256
14daf57ed94b479a4e53de10bc5c29c019f14f05786758c372abdce10b8443e4

SHA512
fb2fa3854d1aa342bebdcf72a57975204738c2de133806aa823e9483bfa93774ef51bf4b0b675884c2d1fd76b4311947fca63185f69ffe46f2c7b041c753418c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26ea0e805c624fac0848ec15db5c1ba4

SHA1
9da60c201fb1beb859d2887c224bda2775e41979

SHA256
7ab4f4d3578e8d126696427b5cf504e05d32bb73b8450be7ab38ebbe48b64bfb

SHA512
0f401f5c2bdcf281368fe6fca172b707019c1fb4411ee8b177bf0d326e6a3f9096be84233d5a922961ce5f860226ea3fcd59d02e57c9e7328209b67457ce1903

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49a3e466acfffa2651e136f2e0805b09

SHA1
44061e28786be5b4beebe225cd92d89d26b08c51

SHA256
b34e9d88d7e11ce8478cc20055d58f884358f4066e87ca97eebc4fa0dc409cf5

SHA512
f0fdc2d55fa7e7b5d731f6dac53d620fc1362f776ebc61da2832fbd02b7c8aefd12f4bd3cfe56a1189a9859a6a76fe8818fa7daf0a148e4cdc1cad69bbbb92ae

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42a2121df8b0b6a6d4939a6c694ea465

SHA1
b4d8b9fb62dc1ebfe64d8fe89ceed5e44607e938

SHA256
cbee2ffbdcedfdb511d5ee951506563b566407de601220afc855ae1704cbc402

SHA512
dfb415dc0f70c6398957301c47d247968a9ab42e9430ada78a11f10a29d706cb21ed501f71d2a314577430d52557d28440e257804812f66d63e7ad425a7d56aa

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e80721b7b60f154e8cee05340b0ef50b

SHA1
e2e6625c499aa32116512c98c8924567bc28015d

SHA256
34692c24fe100316a2b39997d21672ad9a026a3d936fa88f8b0caaf1118e65c7

SHA512
0235cc590f81bacb95257a60521be963cc7b9bdb714dd4222183ece230e4ada18ed6962b3fab6b0395cc2ce248745262e60a1b1951a314518a8200270aa1e784

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bb81cc989e88d705e752e61c675a2c5

SHA1
25663683eaa1d4938047f38407c5481178eaa075

SHA256
db64a76306d0ea669629cac951e76f8e6aaf566447b1ffa6b96aaece27cec094

SHA512
3ce739a156b76bcaa63ed6439b79ac6ccd256c9e98eb3ee4200180701dd2f83fc60c45306b84f39e034f18996b0b4cd43961aeb39477736b3c350f33a9c9d240

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0633fb212a1d17183f6b6650ed123ad1

SHA1
35c16d34e41693b2da2eb0881b0dbe32d45344bd

SHA256
1273d99fbebe17162fb38a16705636b58ca8ce4b21c9150ae9eeba26321f89c4

SHA512
326e0c0ae16949d55c6a1d1489030686fd5cfb4905f948940f35cb0c2b7fe61381d512af478bc51a91d5f780ec17d7e378cc939f0a1b77e653a61cb8acbc90b4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2965bd366aaa60b91162f47b735c572d

SHA1
9a90ede9f358f4495deb932080bccd2ce0052acb

SHA256
ca2efbd5b6f35865400367fb023b975faaa41269256c95b3775d6c63099b2249

SHA512
1503c9a7a25a51921570ff6c84bc7314050887591bf362a2ad6c1b0aa977f8d234f03efbcb1afe91d3dbbc51678cd827057773f38a23e52dc6685bbe430c8c00

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5df1dde998ee5cee95a67beedfde3ba0

SHA1
d39f38fa1ec6cdc3d1467dff219c9ceb1e6cb78c

SHA256
0a01aec2fe51e55f6347d15e17950242e20d1e669ce137735f069bb7d04fc17c

SHA512
2b768ce44b2ae6c7faaf70aa72b02e88a844bb43265b1a214a9bf85524047274e7c3c9ed77939ec27b5fa211236ce69c220be6793fe7f04e2760cf7c0bbb08d0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a75a27b5b3a5b54fd83fb4fb4a0fc0c

SHA1
44c45d2ff32457230640bf241848acaba2cc6c64

SHA256
166f0a7ba5197a9d389f2b5f6cd561992f281b2235051f5721a237cf88b2db65

SHA512
d57ec984889349dbecfc4e202cac5c5ce31c1988331c0f5087283462efb2671063c3ffb85dedc572aaf01bd9e3f717c393edcd2c6ca092509cd335d3de22af1d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68311be09c7cf9a8e925ae59974e381a

SHA1
fff328a9a2e10d69fad021fd6e91712f2298a740

SHA256
63632055c7fc50d738c765d4cfc970a5fcf308f0d3843ad01817810a4d604ebc

SHA512
674bffe1ca197e1fd7f3a47fef2aacdd40730d1a8cc382854325b92458792df8a0790a7386ae0a892f8f5e4c82d02e13f50dadf7c6d036308f8faa79dde5092a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ebb2524b4baa7cddd70b07f67dcf934

SHA1
a35730db5f03a17c07104be27470d980473820b5

SHA256
d888ce0d57c6583fe575d6324bbf42b48e7ee6cd1741a62b4146e026b34de0c0

SHA512
9b240de7f0df7a323ab1c04a38225c1302f6ecf44f3f5127dac9dd0724cb5ca4268fa95e12e271c3db9282d9171e0e5c411dc8f8e4226df22980af829e839bc2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ede7b2a2846b3c1915ada12e463a6b10

SHA1
2437e8348ba3e1d691bac9b4f86a524a854adee5

SHA256
67b44c5210d0f9c0c526e5f1d631d8681bcbcc24b9b32b580cf8466141be0271

SHA512
aa240e4376a4e3ad908651fe63dcc7f33078200dd360690af3d6b7041ec27d3795d7a4e56c815a5c1d1b1d973d5ede4c9b2ca907645cf61d9eff046f9e05c91a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fc9a3aa74687093669864d35ec7a464

SHA1
75e5eefba821384ab24c4ea8117fcaaf7ed27cb4

SHA256
f8f25dfcbe31ba294509b43f617557cd23e8fa07985ecf3f1229764ee33eadc2

SHA512
54ca6c088b6a5b4335f26b86628601279535dce83f30f266c1110d044aafad59ae6f735059fc1520cae5722734a878affe7b1be4fc40af2140c6124fe4e835cc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a390094ea02e017281262e6a5a05a71

SHA1
b799508de458d1c2e9e42d3ed7856df6bea6a327

SHA256
e542e4ef4d9fddcca83cab704d73b6868eee11dd2ae7ec86decb217bc2de2596

SHA512
12bdc92250f71fda7153972c1e1c97bfd1f40bd2af44e59c87f4d558daaa2bf0192014d57ca7a71d128590fc861ed92951e413ed12f31116d13d9b8dba347836

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d2bed2c3eff96c992af8779d98fe567

SHA1
3c91d2cbbdf439b9f0e82b052613515f190910fa

SHA256
d624e04d185dcf3a4bebda880b15ea545bf378ac2a6904e077e0fdff17fd09fb

SHA512
c89a2b9db661ba283c82a416fac4e16b118f73486a9e96cd610df94b9da2833f4892d8b9897ab1f60ed6562359b76b0f06908be68a6c7ca87de1b55e05b5feb7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da4be8f7c3feb24c52c957501d98008a

SHA1
0d42204a4f5eead426c9c7db53027adbccf7cf2b

SHA256
e1654e91320b5bb549f7d6a409dc17cff50afdc4bf2acc00f6c9aece92c607d2

SHA512
373482a818d83a9dd9a73b20a91b46eb976caeac87a5f556ba387378d924ff288a30dd48f222e9eb55f95dab3ba698329a1f559e62c6fa4a1d1b7e94ecbd78ca

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ecfc70759f9825c6f06833a8a1e4d78

SHA1
dfcdbfbfd44d8c1138de534294c6dbab3f12cd15

SHA256
0762bcab7f0215cd71695c4bb84d4bea2da8d520a7a5ed2c84a18b8253e30b7a

SHA512
86ccf0baa5511b3165af52624b17166b125aafc2bc18de5e95e2321a77ecb8c225de91d12c1c030c050801b68ba1f6041a7e1a345dae83bce2969cd2cdd58a31

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bf42052facfcba6e7039c5ed2ea1bc3

SHA1
7cd3fcec7b395006a5dfebe0f78a97accc68de59

SHA256
0cd45454001b3d1a495b3a997a0bfa8fd9c4874dc511122ea985e44bb0779e65

SHA512
6a31d829adb2405c68a0ad231e46761d268893e1f570789c2957663bf4c2fadf53ee23e02266c9890f058693b1554b8b205a53077acca7cedbcf61f14bdabe3d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
14a1388944be19828041b7eab4764b64

SHA1
aada18636a36450846aebcf83da2a6bb8f88e621

SHA256
e13299dd44464f81e29eaa9119f50fa9936f4b1df266e669bf034243d15d43eb

SHA512
b3f420ccb92c3f64f1d7efc22e0264bce45df6f687a24c16a8171244fa8af75740316fb302341d880858e3c7c7fba649957fe4f21266dbb1def9cc675b5a16a4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab522.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar556.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar6E6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwF9E9.tmp

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\Temp\wwwF9E9.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwF9F9.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/2420-45-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2420-759-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2420-1376-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2420-1366-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2420-767-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2432-33-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2432-0-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2432-16-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2432-57-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download
memory/2432-58-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/2432-17-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2432-18-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2432-19-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2432-20-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2432-21-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/2432-22-0x0000000001F40000-0x0000000001F41000-memory.dmp

Filesize
4KB

Download
memory/2432-23-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2432-24-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2432-26-0x0000000001F20000-0x0000000001F21000-memory.dmp

Filesize
4KB

Download
memory/2432-27-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/2432-28-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/2432-29-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2432-30-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/2432-31-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2432-32-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/2432-35-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2432-14-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2432-34-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

Filesize
4KB

Download
memory/2432-36-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2432-37-0x0000000001F10000-0x0000000001F11000-memory.dmp

Filesize
4KB

Download
memory/2432-38-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2432-39-0x00000000031B0000-0x00000000031B2000-memory.dmp

Filesize
8KB

Download
memory/2432-25-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/2432-12-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2432-11-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2432-15-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2432-41-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2432-10-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2432-2-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2432-4-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2432-5-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2432-6-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2432-7-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2432-8-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2432-9-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2432-3-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2432-1-0x0000000000290000-0x00000000002E4000-memory.dmp

Filesize
336KB

Download
memory/2432-40-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2432-13-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download