d518f5eb3c017bf37da72062a06b849ddaf15939e06d59e72fd71dbc175b7180

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 06:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c41577daadaecd6675aae3415a97613_JaffaCakes118.exe
Size

435KB
MD5

3c41577daadaecd6675aae3415a97613
SHA1

69f9a4fb6fc28fbca43913082a8d8404c8096b7f
SHA256

d518f5eb3c017bf37da72062a06b849ddaf15939e06d59e72fd71dbc175b7180
SHA512

ef16a71769b0b525feacbd8fed21b7735e394220fbc11ba077d41289997143cd583a2afb93f6dff2f54a234752883a369c8ecb2ba945d967eee4ae3c110ba355
SSDEEP

12288:zIvuIuxAEGDrTbz5429qy/7qTnMH/Dciys8R1x6:zVInTby22TMfDc3D16

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	Public.exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B5A103F2-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Public.exe	3c41577daadaecd6675aae3415a97613_JaffaCakes118.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Public.dll	Public.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CA835432-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F44331F1-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9DCC1FDD-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B5A103F1-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CA835431-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9DCC1FD1-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A41C6570-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DF5EA762-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Public.dll	Public.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9DCC1FD3-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Public.exe	Public.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Public.exe	3c41577daadaecd6675aae3415a97613_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Public.exe	Public.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9DCC1FD1-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{DF5EA761-4015-11EF-B44F-526249468C57}.dat	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6e0000006e0000008e030000c6020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "1qg4xia"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 0d00000000000000050000000000000004000000ffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807070005000c0006000d0001005103	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070005000c0006000b0033001503	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070005000c0006000d002a009901	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807070005000c0006000d000700e101	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807070005000c0006000b002f000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1AC2F265-B442-43F5-8E47-06464681C054}\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff8700000087000000a7030000df020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3c0000003c0000005c03000094020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070005000c0006000c001a007903	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-a7-58-91-26-d4	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 0500000002000000010000000600000003000000ffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9DCC1FD1-4015-11EF-B44F-526249468C57} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807070005000c0006000b002e00b903	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	Public.exe
Token: SeDebugPrivilege	2752	Public.exe
Token: SeDebugPrivilege	2752	Public.exe
Token: SeDebugPrivilege	2752	Public.exe
Token: SeDebugPrivilege	2752	Public.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2316	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2972	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
600	IEXPLORE.EXE
600	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2940	2752	Public.exe	31
PID 2752 wrote to memory of 2940	2752	Public.exe	31
PID 2752 wrote to memory of 2940	2752	Public.exe	31
PID 2752 wrote to memory of 2940	2752	Public.exe	31
PID 2280 wrote to memory of 2644	2280	3c41577daadaecd6675aae3415a97613_JaffaCakes118.exe	32
PID 2280 wrote to memory of 2644	2280	3c41577daadaecd6675aae3415a97613_JaffaCakes118.exe	32
PID 2280 wrote to memory of 2644	2280	3c41577daadaecd6675aae3415a97613_JaffaCakes118.exe	32
PID 2280 wrote to memory of 2644	2280	3c41577daadaecd6675aae3415a97613_JaffaCakes118.exe	32
PID 2940 wrote to memory of 2756	2940	IEXPLORE.EXE	34
PID 2940 wrote to memory of 2756	2940	IEXPLORE.EXE	34
PID 2940 wrote to memory of 2756	2940	IEXPLORE.EXE	34
PID 2940 wrote to memory of 2756	2940	IEXPLORE.EXE	34
PID 2756 wrote to memory of 2660	2756	IEXPLORE.EXE	35
PID 2756 wrote to memory of 2660	2756	IEXPLORE.EXE	35
PID 2756 wrote to memory of 2660	2756	IEXPLORE.EXE	35
PID 2756 wrote to memory of 2972	2756	IEXPLORE.EXE	36
PID 2756 wrote to memory of 2972	2756	IEXPLORE.EXE	36
PID 2756 wrote to memory of 2972	2756	IEXPLORE.EXE	36
PID 2756 wrote to memory of 2972	2756	IEXPLORE.EXE	36
PID 2752 wrote to memory of 2332	2752	Public.exe	37
PID 2752 wrote to memory of 2332	2752	Public.exe	37
PID 2752 wrote to memory of 2332	2752	Public.exe	37
PID 2752 wrote to memory of 2332	2752	Public.exe	37
PID 2332 wrote to memory of 1720	2332	IEXPLORE.EXE	38
PID 2332 wrote to memory of 1720	2332	IEXPLORE.EXE	38
PID 2332 wrote to memory of 1720	2332	IEXPLORE.EXE	38
PID 2332 wrote to memory of 1720	2332	IEXPLORE.EXE	38
PID 2756 wrote to memory of 2748	2756	IEXPLORE.EXE	39
PID 2756 wrote to memory of 2748	2756	IEXPLORE.EXE	39
PID 2756 wrote to memory of 2748	2756	IEXPLORE.EXE	39
PID 2756 wrote to memory of 2748	2756	IEXPLORE.EXE	39
PID 2752 wrote to memory of 1976	2752	Public.exe	41
PID 2752 wrote to memory of 1976	2752	Public.exe	41
PID 2752 wrote to memory of 1976	2752	Public.exe	41
PID 2752 wrote to memory of 1976	2752	Public.exe	41
PID 1976 wrote to memory of 1296	1976	IEXPLORE.EXE	42
PID 1976 wrote to memory of 1296	1976	IEXPLORE.EXE	42
PID 1976 wrote to memory of 1296	1976	IEXPLORE.EXE	42
PID 1976 wrote to memory of 1296	1976	IEXPLORE.EXE	42
PID 2756 wrote to memory of 1796	2756	IEXPLORE.EXE	43
PID 2756 wrote to memory of 1796	2756	IEXPLORE.EXE	43
PID 2756 wrote to memory of 1796	2756	IEXPLORE.EXE	43
PID 2756 wrote to memory of 1796	2756	IEXPLORE.EXE	43
PID 2752 wrote to memory of 1936	2752	Public.exe	44
PID 2752 wrote to memory of 1936	2752	Public.exe	44
PID 2752 wrote to memory of 1936	2752	Public.exe	44
PID 2752 wrote to memory of 1936	2752	Public.exe	44
PID 1936 wrote to memory of 1572	1936	IEXPLORE.EXE	45
PID 1936 wrote to memory of 1572	1936	IEXPLORE.EXE	45
PID 1936 wrote to memory of 1572	1936	IEXPLORE.EXE	45
PID 1936 wrote to memory of 1572	1936	IEXPLORE.EXE	45
PID 2756 wrote to memory of 2316	2756	IEXPLORE.EXE	46
PID 2756 wrote to memory of 2316	2756	IEXPLORE.EXE	46
PID 2756 wrote to memory of 2316	2756	IEXPLORE.EXE	46
PID 2756 wrote to memory of 2316	2756	IEXPLORE.EXE	46
PID 2752 wrote to memory of 2076	2752	Public.exe	47
PID 2752 wrote to memory of 2076	2752	Public.exe	47
PID 2752 wrote to memory of 2076	2752	Public.exe	47
PID 2752 wrote to memory of 2076	2752	Public.exe	47
PID 2076 wrote to memory of 1740	2076	IEXPLORE.EXE	48
PID 2076 wrote to memory of 1740	2076	IEXPLORE.EXE	48
PID 2076 wrote to memory of 1740	2076	IEXPLORE.EXE	48
PID 2076 wrote to memory of 1740	2076	IEXPLORE.EXE	48
PID 2752 wrote to memory of 2420	2752	Public.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3c41577daadaecd6675aae3415a97613_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c41577daadaecd6675aae3415a97613_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\delmeexe.bat
  2⤵
  - Deletes itself
  PID:2644

C:\Windows\SysWOW64\Public.exe
C:\Windows\SysWOW64\Public.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2660
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2972
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:275467 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2748
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:406551 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1796
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:209976 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2316
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:275525 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:600
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1720
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1296
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1936
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1572
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1740
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  PID:2420
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delmeexe.bat

Filesize
231B

MD5
87500831882daeba6a96acc12d52cc93

SHA1
0ee2502f7340c56d0eee2fa81080f8f68c6eb1a5

SHA256
5cfb2e165487f4aa39b164b667d8058b2eefba0a57be4598fee2e3cb1cdd802d

SHA512
92678b72013ff6e0ceaa187ed08e4ab76d5e4015e8be78934234d20f00bb55c5074baa469b1df5e0fe8f19cd9d7e5da550adc3c0fdeb28b48f560bdd254c5505

Download Submit
C:\Windows\SysWOW64\Public.exe

Filesize
435KB

MD5
3c41577daadaecd6675aae3415a97613

SHA1
69f9a4fb6fc28fbca43913082a8d8404c8096b7f

SHA256
d518f5eb3c017bf37da72062a06b849ddaf15939e06d59e72fd71dbc175b7180

SHA512
ef16a71769b0b525feacbd8fed21b7735e394220fbc11ba077d41289997143cd583a2afb93f6dff2f54a234752883a369c8ecb2ba945d967eee4ae3c110ba355

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
efff0d7571cb9055c11a634f77688106

SHA1
d191a113c9011a95ce72080a1e2a95e1912e7a52

SHA256
97a08d8fbb62f4200a64d080cbd6f3dbdc434080de137641a1aca4e28f56fde1

SHA512
566c9716bf2ceb856d3ea4f09a47f15b609700402baebedaec2fcdd634d5392d4cb1fefec4506ae74f38b761583ced0145ec1e81bc700fbf2f127faf7ebb024d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a7e7643e382c4c53a81237f5e8abae3

SHA1
e8e4d43994f31cb03bc21a889920384b70e28c7f

SHA256
be18c6ce290ed8b10289c23468f726306c910edfa4540dabe7aa51f3c2da8ceb

SHA512
91e796e34130ff3aff18e8da11f289667ed756b27aa53075a8b3ab47d17d920011da89dd59b155d9665d6077e263955f99a65b8f76d294122f12e6e13b3f4587

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ad049ed459466ebd23cb37027400322

SHA1
091e95efcdb33adc58747c845d4f6f2df0d6171b

SHA256
00b1465866456e5aee6e43a647d14cb6ef05de6bf75440517540d8129ffa50af

SHA512
fa724d704b39bebe417dd8e12fcf08a46088eeec25cfa83c0e0830b787555b13b89b3e1f8a23fd96e68b4de06591d25c90625edc9d1aa353c7577e66433191c2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16ddcafc43c0f3436409f178d90f6fbd

SHA1
07160d79ac6869e6104b317ab37e11308edeae15

SHA256
7c6e26c238ea21bb49486a95238fb4d46f2ffc65f081a3d4887fff3896df4cd6

SHA512
64127270a309bfb95fd7a0817dc4c0c8e0508024cc42a9b5c4e73f80a7e41d1850645699e39f115d303587fd9e4c9f4c20e6dff1e5eafc473f0c69bc7fadb4fc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
084c69e12d32012f764f748d78da48bd

SHA1
fe17e4b7c9bfbccd9d9e012002380e14780eda15

SHA256
b2d2b5e72b60898dd895c854be3abac2c471cd522f9b7993db70f7afaf27de25

SHA512
ece2e85b2c5362d0b9f62f1af0581015c082081de89f886b2141bfe9e7db93369daebaebc28633a3d91a34c7d4bbf3b0a7336b81bd1bdcd6ba7386a6d9be26e3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4be35d84db1c8405445b996a914480a9

SHA1
7ef0451681a986483e3ed8bda48bb1794a7594fb

SHA256
3275019d259cf08dc85a4befec2972384a92e9886528f5947769649a5d521a68

SHA512
8e77c60993b1946f5289f234463aab33c755fa5aa0789056d3b5d017e9479ed4490f1a5a376c30f94489a5eda15dc251e8598cb0dd12549fdfb51c7f988ee7d8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a67ca29a52bddc65764c475e1bdf6aa3

SHA1
7496b6e5f4d4731bf95d4f572e67c2d5260757a0

SHA256
782e896372cd92a1a7ddd7254fb37a553393e3b3aba9ab37817f8703bfec05c8

SHA512
521c895ffc6d1c0c43b6e875a59e73a36f935e7dc24f9ce5004a4018e9a2a3e303409a917de1bc1c0ab3f0dcf48f9a3ec674bb9290f0fcde2c0632584111c118

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
440bef424b652b23ef837f6186f96993

SHA1
67765b732c01e3690d4c46d1791c31818e43a161

SHA256
a0435cac7c92c1de179f1394e95596705a40c3ae5b1330299b40eeceb9786214

SHA512
19b8bd4b89089abebb37bee75e9e3fb19545967407f62e61f31a2af1e114ff6cc70c2b970a739ff75e4ccf4fd57ff4c253c451bac9da9e7d02fa6559f87a309b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a6c5e7e9085ca176f83184844999a53

SHA1
58f953c54c5d85c61e57fbdcc27f05d3de6093b4

SHA256
d5625268bb5f53a331283dccf1b49195f8acc226b6cb39196b7c7fa70905c16c

SHA512
bf4044bc43c36a491fb3abb13920c6af2ff0403c680515df4e8af0d7de5b511109b4a81df91e8dedd0c95f04abcb1db2856fb0f031607b2990df3f6781a3e167

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
641141442748590284c836cf2fe1b34b

SHA1
83c7ff0be9baff47e944619f3e4fb9ff602a924a

SHA256
d42c047a76c77d34bc465e456ab57cf9baefb7bedc5c00439ed6fddcbb65c6d8

SHA512
a986a2d6002ce115e9cdc1379b4846f55aec9c372d60ae88aad3a006aa89147fe3dd0d3f24f16df472fff95f1c3858adc0b631ec06e44b9932977b503374049c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d341136b605ebc617958765018e14ba3

SHA1
c4f3a58326fd7475c8c1d1a9e645d68ff0c3b1f5

SHA256
e4b0ae75d391effd6eb8defc04f7ba8a7edcdbca0f3cb2f74850048f21cd3c1f

SHA512
13b97482a8ccfb1df81228438f3ab57b3dcd7a2e2749966832572b0f93ef3b834c8032145ab1b741a3ba8411faac09f18fa8339b482984e87371aef46da1dad9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2365299de876ee810ee3fb6c78e5093e

SHA1
f98359310863097c3b516f275db9ae27228dfe07

SHA256
31e79f2b66ac7a8f3d099da209048cd329166dc0173ebf09b0b6c3c542aba5aa

SHA512
1a7508a45c16361f196876828b344b5425a99d77e180efd6b5f6a345216e5485b934467c1348d7d95555982565949995dde07899f59e6752f83a5bd4b72975d9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa48ae02fde100808f153c2e990b6f91

SHA1
d423a0c751340399eee93be43ab583b46fe72285

SHA256
b5f3a660989c346ff4f473c31f50333f6eeb4c4773dbf2db87b9c87780993f9e

SHA512
ccd5992f1c296dcfb0da7b861a5629625dbb1a33ac9cc136d57bdcd3d6301288a17f4ac2df7e1d5b44eddd87798aaac9d1d229bb4986aef64e25515ebe9d6519

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
780b7f34f13b6841a126ff3aa6d53dec

SHA1
fb8dadc46e1bf2ba7a9a6ac742b07c8f46e5278d

SHA256
a98170905582e8d44691d9947ff7f35170199ecf9f6555cb2fe04d6dc7413039

SHA512
e900a4425e3a36b98d53e09663c645002550e93453b9daf4390932f6d6a49aa3ef97d55769eb4416a31917195ffb0eb4c582a4b5260feaa68f476c6bd2c3c9c9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91fd00c42db101147c5ccec5db9ee8ad

SHA1
2661ea0de10955f2377cdc7ff528736e417e66a4

SHA256
a0b7000b1fa474a2e1e03058e0c941bf0e34f9b149d74f997c290a85b2370738

SHA512
13e1febdb3635f929fc24968ca5e42fe8c3e202ca54ed586d6d4ea59c7c46cf252258cdf0d667cc4b15d2ecc2bec79a1cd1fc9f88ce4c454923f60662deed24a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
210e198cc36f1556f5395041f9c09312

SHA1
29b95bab3de6be35084076358cbebb2587c1c6c6

SHA256
a45727c46a1a1dced6162b998b85ea23c33a692097d4c4905ebf1136a5faabbb

SHA512
13ba4a6f50c36ed7e7308c0be74bb308534daa4a2cb6cd594c962d3d324ad4458ef5b5686ecd831e91a75269a1cedc80d0f4d5d678646cd28ebfdef15dab5c2b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0819d7848b6e662ef0ca3fe3a9142d92

SHA1
fa76dfbba584e7a10387ba7e3985d04ef72654d2

SHA256
62658e1d171a7bf7c184d239b04cbd06b1b7457f8408e6c15cd36e862741916b

SHA512
f79e8e1cdbe3de65c70f1c31a71ef57d115363c4cc464e737d5904bad99c621b7df0233fb068c79cc00b14dd39c339e146959f125b820433594a940dee65cc0a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e4ddd47505b635bdfb14e921e2c5a6f

SHA1
336434efe26c0e7e275d2c52de54ad8294e5588b

SHA256
2936fe4a224186c6a3db85e18374893049291db913b91ea933bbee4111b56fa9

SHA512
95d896b376a2eb910429c1d244875e55b6f7c507d1d81407b6bdb28888403b42750c7ea86c185548aff12203757cc830338c5c214aa88423f9b0163498e928e9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6147c14d6fb028619b5af6a04aa524bd

SHA1
0ae09c4f3631c1b8f6c5f7e7c60713d3d08b9ee0

SHA256
56ba970df3d655cd3f202a54e1e2c40329a6f8c8cc5bf1bbaeedfc9acc45376d

SHA512
3d3b8b2d7566795a64722d67e0a137ad8ab8ba740d344f0dc74f0160567fa381bc130f5f5c7c8acb2cc5a003e6bcbad06607161f44134147f2370cdfc3fcfdf6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3798fabdfd2f3aee65de9ef8dd10ee2

SHA1
363190f81a35561b717fdd83ccf1b2be9d82358a

SHA256
c7c6e9de0c5e4853e8b15b7244bd78b40a30924b757ff5ffa1dbf4dceeec3363

SHA512
b984f97ed3b6a7655267a459c488770eeea460a1a629848fc0bd9ad00cf702dad47cabb4c486205ff27d32fbcc1f9776be28e7127072bcb1c3cfd7fd0e4398cc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
951f8d6f4ba46e298d8be0da7cef61b2

SHA1
01361741e3721ae7ed0e3db9b4018b2fe2b2d858

SHA256
3c078fe53bdaa8c30b9bd7c10d8c02acc3b3b670b882bb3e5d0da0da207d42c6

SHA512
ef07e2a508822a0e124be1ff0015073e4cdd76de14d2e8fc4826d7e901b7584f60e2dc71aca2a9ae622fdd6cf20bd570f691e881ec7a023b3802203c0cdb2467

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab9053.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Cab9143.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\Tar9058.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar9203.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\www84FA.tmp

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
memory/2280-7-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2280-9-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2280-26-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2280-24-0x0000000003220000-0x0000000003222000-memory.dmp

Filesize
8KB

Download
memory/2280-0-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2280-42-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2280-28-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2280-29-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/2280-25-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2280-3-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2280-4-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2280-5-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2280-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2280-41-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download
memory/2280-8-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2280-27-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2280-10-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2280-11-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2280-13-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2280-14-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2280-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2280-15-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2280-16-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2280-17-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2280-18-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2280-19-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2280-20-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2280-21-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2280-12-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2280-2-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2752-742-0x0000000000400000-0x0000000000501000-memory.dmp

Filesize
1.0MB

Download