087ed0d4482bedf400ce0c87cee7970724be100b016192e21c717518290f459f

Analysis

max time kernel
134s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe
Size

48KB
MD5

4af866f8f7ea3f79fa3dce9dcfd75bbc
SHA1

aa51fe5b3fa6934f6477d5272f2d8b1224a4f769
SHA256

087ed0d4482bedf400ce0c87cee7970724be100b016192e21c717518290f459f
SHA512

6c0fd3804e738e38a5a0feeeab7712d798777c8544d4f81989182efc9e07238eeabff251c142440b1342a1ffd05073004dfbd2b607503b1fdf65b33c43f7b44f
SSDEEP

768:LdyVVBi2VIgVHwa/pqDD2Z5dAh8BtveJwgIS:a1OgVMf2e8tveJwm

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1852	RDSvc.exe
2424	RDSvc.exe

Loads dropped DLL 6 IoCs

pid	Process
2148	rundll32.exe
2148	rundll32.exe
2148	rundll32.exe
2148	rundll32.exe
2908	WerFault.exe
2908	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F74797B1-42DB-11EF-B357-7AF2B84EB3D8}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F74797B3-42DB-11EF-B357-7AF2B84EB3D8}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F74797B1-42DB-11EF-B357-7AF2B84EB3D8}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	2424	WerFault.exe	38

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 708fdebce8d6da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = b009cdb9e8d6da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	RDSvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-58-b6-51-25-c2\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000034af564faf753c4a8966b34057fbdd5600000000020000000000106600000001000020000000a8bd4939eeef420b7d6bcbc3b409e9fd774b0526aebe68cd3b58dd04e2eafbf1000000000e800000000200002000000042c942d85ee6778c0f90bc3c6d5132be71b5a55761e068243773c7fc9d861203100000009b361d1f673f3270c47f1ac1a89449dc400000009669fa265f764084856ad96939db38a8669eb9e186d6c6a2b7b06d105c6a0884ee6f60608f6dd25f199af6d6b0e907a89435c6825ddbf03c7f38e35a10a33b56	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 3084c3b9e8d6da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807070001000f001200380027002503	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807070001000f001200380027003403	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1D04F48-03D3-437C-A674-67DD7F1414E8}	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2384	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1424	rundll32.exe
Token: SeRestorePrivilege	1424	rundll32.exe
Token: SeRestorePrivilege	1424	rundll32.exe
Token: SeRestorePrivilege	1424	rundll32.exe
Token: SeRestorePrivilege	1424	rundll32.exe
Token: SeRestorePrivilege	1424	rundll32.exe
Token: SeRestorePrivilege	1424	rundll32.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2160	IEXPLORE.EXE
2160	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2972	2384	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2972	2384	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2972	2384	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2972	2384	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2972	2384	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2972	2384	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2972	2384	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	30
PID 2972 wrote to memory of 2412	2972	rundll32.exe	31
PID 2972 wrote to memory of 2412	2972	rundll32.exe	31
PID 2972 wrote to memory of 2412	2972	rundll32.exe	31
PID 2972 wrote to memory of 2412	2972	rundll32.exe	31
PID 2412 wrote to memory of 1424	2412	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	32
PID 2412 wrote to memory of 1424	2412	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	32
PID 2412 wrote to memory of 1424	2412	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	32
PID 2412 wrote to memory of 1424	2412	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	32
PID 2412 wrote to memory of 1424	2412	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	32
PID 2412 wrote to memory of 1424	2412	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	32
PID 2412 wrote to memory of 1424	2412	4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe	32
PID 1424 wrote to memory of 2108	1424	rundll32.exe	33
PID 1424 wrote to memory of 2108	1424	rundll32.exe	33
PID 1424 wrote to memory of 2108	1424	rundll32.exe	33
PID 1424 wrote to memory of 2108	1424	rundll32.exe	33
PID 1852 wrote to memory of 2160	1852	RDSvc.exe	36
PID 1852 wrote to memory of 2160	1852	RDSvc.exe	36
PID 1852 wrote to memory of 2160	1852	RDSvc.exe	36
PID 1852 wrote to memory of 2160	1852	RDSvc.exe	36
PID 2108 wrote to memory of 2192	2108	runonce.exe	35
PID 2108 wrote to memory of 2192	2108	runonce.exe	35
PID 2108 wrote to memory of 2192	2108	runonce.exe	35
PID 2108 wrote to memory of 2192	2108	runonce.exe	35
PID 1852 wrote to memory of 2148	1852	RDSvc.exe	37
PID 1852 wrote to memory of 2148	1852	RDSvc.exe	37
PID 1852 wrote to memory of 2148	1852	RDSvc.exe	37
PID 1852 wrote to memory of 2148	1852	RDSvc.exe	37
PID 1852 wrote to memory of 2148	1852	RDSvc.exe	37
PID 1852 wrote to memory of 2148	1852	RDSvc.exe	37
PID 1852 wrote to memory of 2148	1852	RDSvc.exe	37
PID 2148 wrote to memory of 2424	2148	rundll32.exe	38
PID 2160 wrote to memory of 2332	2160	IEXPLORE.EXE	39
PID 2148 wrote to memory of 2424	2148	rundll32.exe	38
PID 2148 wrote to memory of 2424	2148	rundll32.exe	38
PID 2160 wrote to memory of 2332	2160	IEXPLORE.EXE	39
PID 2160 wrote to memory of 2332	2160	IEXPLORE.EXE	39
PID 2148 wrote to memory of 2424	2148	rundll32.exe	38
PID 2424 wrote to memory of 2908	2424	RDSvc.exe	40
PID 2424 wrote to memory of 2908	2424	RDSvc.exe	40
PID 2424 wrote to memory of 2908	2424	RDSvc.exe	40
PID 2424 wrote to memory of 2908	2424	RDSvc.exe	40
PID 2160 wrote to memory of 2604	2160	IEXPLORE.EXE	42
PID 2160 wrote to memory of 2604	2160	IEXPLORE.EXE	42
PID 2160 wrote to memory of 2604	2160	IEXPLORE.EXE	42
PID 2160 wrote to memory of 2604	2160	IEXPLORE.EXE	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 SHELL32.DLL,ShellExec_RunDLL C:\Users\Admin\AppData\Local\Temp\4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe install
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\4af866f8f7ea3f79fa3dce9dcfd75bbc_JaffaCakes118.exe" install
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Windows\temp\rd.inf
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1424
    - - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        5⤵
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        6⤵
        
        PID:2192

C:\Windows\temp\RDSvc.exe
C:\Windows\temp\RDSvc.exe nt
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2332
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2604
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 SHELL32.DLL,ShellExec_RunDLL C:\Windows\temp\RDSvc.exe exec
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\temp\RDSvc.exe
    "C:\Windows\temp\RDSvc.exe" exec
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 124
      4⤵
      Loads dropped DLL
      Program crash
      PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
9b5deaf903bc256143a8d3b23d6a8d98

SHA1
33a1782a9512a41937a5f831f640533ba3717d07

SHA256
0c0ac8e059d41957e7b593f78a9f2b1973a70e5421ab7e48b70fe6978da5eb0b

SHA512
cfafdd3e84800a72da8e8c81aa754f283352797deb08e07bf9c6814ef6c43bc65ba495149a93f6bdc321276e457202b73a7209c9600e878b0b00991c6341fe45

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7aedb09806f8e5870d573187bbba492

SHA1
2b5c51bd0f8474b5507ec80bfdfb700973c138ae

SHA256
fbe607d6aeb10dd372351e5f31a1d9893329461e4dfc4a254140313d80b3da1a

SHA512
fcc222360d26f8963ec7241f0a0b4fb34f55a583fa52f9ccf0ecdb0f8760bacf0175b3c668235bb444095497b7e96ddc9b4495ac7a188c7654d34a9a6f1fa9ab

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
176744669a1e8f8025bab904ead97299

SHA1
90edcda99db6b8309686bda47086a1ab2660c75f

SHA256
531bbbc7cac68492a7a6baf85810758ffdac4a8f47e84066f655e45e162db56e

SHA512
893c693a5c2e0886f64e60492924b2af1dd093ca50a31fd71d5f8ef04350330bc055352733de136112c78a61781c7f6fdceffbcec1f18040195aa673be5e0c75

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
247ab4a5f2bca20a28a28fff58c619f0

SHA1
fc4c9160dc652e57e5f3a6bb4580f9f5af7d397c

SHA256
ac47bc0d33750e02e57af6842c1e1138e4af6f534ee3b583d9574bb653eff6a2

SHA512
ec81cb0c180dcf53c47243bad75c42a00a9eb5abe2e2295f3157053bc61390d37e2b51d7ec345b77c97f429b020b068a5e1b6f9f75e8f5353005b6a08d5e262a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18718ce067fc1c5192bd28cc506f7b72

SHA1
302f639c6c9a06fdcc58ca189d984b7d814aba2f

SHA256
28f16e983f3b47b7ca4ead867aa24964929b94f98e28e45ebeb6c9f4f3e0b9dc

SHA512
ae4fea38388899039ef5fd3e8e9e49ad50be3fee0128f8045e64304c440123d8937d774e9573c4e5f135a8e349070e185b335a252693e72ac9cdb0819abcd937

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61e5ef2fde4fbdf0048dd4a6bee596de

SHA1
bcac09a0adbd1d704abfc989c9e342f79ba1bacb

SHA256
dc73c41086c84707eb6a099be1ebede6754ed643f46598cf1a1a1a360b2b72da

SHA512
e8fe70352e8473746dc7b393d7463deed654d185a8353a41d43f81fb60146dade1cb25101b576367d8fab1e58c838604e951568a5007fd6f8ae1b2d6be498c04

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5efd0b948d694e070e78fc7eeb684cb

SHA1
679c91175fa474f41f1d7514ae6c3048aecd31e0

SHA256
18d9dabb12052b008832fde406aed91a951651a658a69abb73834726e06116d6

SHA512
4798c69d1c0bb749c3a8725c5bf4aa7841ec80e1a98e3b37b3a2ba2ff4216785bee0fccf65ce5eb869c89e372945cc2234cbfac280540e4e2ed2dc7f9d45a54a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ef6d21e45670345da0a40811c7a1a53

SHA1
0f2dae8147610a8871613a2bb03da40b16a7f087

SHA256
75a19fd25ec682621212e96595ecc7823731ead15b97a0bc7903c0b7d3892c77

SHA512
feade7088a113b4dc7972d513b70674ea62ccb2476157cb00ca65537580e3f8b3cb4f983fbc2b7330dc13c7b6b05e199428fe8e30d2e76d911b76167a327f35c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf009a362fc761d402d01f0f1bef32cd

SHA1
3f0b7c2fc8d68d7aba0301813e949d3d0555893b

SHA256
b74e6c5fae39e3a8e69b0d6801895a8bb175b5a980cf39c4dafaa6ea1daed59c

SHA512
5ab77d689851edaaa87076f388e769f20a9e0d6f6feee95db427fc35cf0ee7a29233c5e60a14d65b0c8fef778d2711b92f98f4b82ea2f3aa7d60c6f1ad055e6e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b15f8b3ab6060089b4ee541375659cd

SHA1
ef570d6fb15df59896ce0b561fee8cbb03e47046

SHA256
d09fd9fcd24dc92691377fb4e3dc5031ad4850881434a9cbe700200e5aac88e1

SHA512
d35f36b792cf4780838038c8ebbad21f3c01a7a168a3160e1d57d0e46371d511ec462a255e3af62a0a3667a0a40ee155cdbeac89bdedc9ab7783bcb34e8144ee

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe1759adc92782d61dd7ee694666f6a0

SHA1
1f82277d9938a6c99f1e03adb87c44f6ea7e7f22

SHA256
724bd25a04bbb998e006c3e55f567d6f0bbc57c52d4c4092e7db69dfa253f868

SHA512
5bb40954ae6c964dd986721f3bfdc6aa2e48e30313ed9a5aea7c896741bcee1746553df8890c0299ffee5b42bb1a368220aeff881e401bb1ba6599cc4b6474ae

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f4294a272aa3103b159810f40334c5b

SHA1
90d653810033184cc36b7def0caf93a8e01eb262

SHA256
2355c54d91e69e03921e339773a8cf9acb33ce07e0f4bc195a0a9bde6920b871

SHA512
fead825335a54335a3ff56005b68d2cc576fda6f541c5df9c5f8f62b84d0d255ddb4f771d73dfc0e591db186d50d63903199604cc55b1a8a7c799ff45c26cbe4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a17cf928a04075673e4fe94b6698520

SHA1
abe91978e2889dd738973394fa413ecd1be2711f

SHA256
6a9fbb41367a3229246fba7e7cf6d3594bd7cb955bfb70acf2120ed458357ff3

SHA512
05f51ad44ed6461c50c8daf3e6a39e32dcf72440662a2a73af3e9eab09946c4a8427f9335c7a078afb23d1eca8e4300af8aa44c25e2a80b5255269f9781ec32c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d87d9b717766d3387e8c855f35658a4

SHA1
4c82b1f2c043e35396f980905d61650ed3421b3f

SHA256
4509d807fa09593a49097d9f358907807ff5ea4fff639625fa8a0a5d0152dff1

SHA512
7a7e4debc6a04eb1e6bc09777d6d6b04c2941b5ef72e7dbe39d2fe43d201828e56e0a19bad6693b67d8c20bdb67a468a944d3f57c3721a02d7823d3bf9c06222

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0aa4859ac8bdfc9374de95fbac300546

SHA1
39cedbca2d6ed825895f7349b8486230524d70b6

SHA256
68465a174f3354aff3cf1f3070f52302691aa9638bcc6c5d9acc5d2ca7432bf7

SHA512
31d0ab64e1d2908b5ac3f301c46d9976c39cb2d358d20a1c329067bb90f544e220d2096a01aa01db603ebd6db50fd30917dad708c8dbcbdbf54960199ea28092

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3492271a0993f17f77cb9e28543a3f5b

SHA1
a2e4c7f4b8794ac75ce0dec129cf9ac50724cde1

SHA256
80b93f76b8f52b71df4b0adc22ba92bde640d0ca1b93ff8ca6f509dbcee62fab

SHA512
7f2d791cfc68d48fd1fd89388728975c68a27713afc16908571ce755711807049ba6aaf4a7e44b8affe45458690f1f7aae5217268aacbc3a996ec30d3edaa497

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b734b841db14aaac0e1db91adae1fe6e

SHA1
3600d438529d6afd9e52e1d1192fe9b159d76150

SHA256
5f6f32bd263f71fb1979e319027b27106c7e7e584790af03d80375e97de3a875

SHA512
d5bc74b1d29f0bd0122a4ecd3178af41d020362fc0aa737e2f0d87916038f99c06a007700252581e6a82c6568d213a0c7eba0b72313c483400e392b1ccb15a74

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff7eb73ceed0dcf6534671138eeb49d1

SHA1
6d51a4b4b03c0c878b8e4b58c4745f4fbdaf9ed6

SHA256
14d7ffbba89b68a291fdae37442538d1d5f24e12e70ca00fe882632b7ccecce1

SHA512
53eb865d70ae695243b345a65669ffe660d89e72bc1f3d8b7222ab2b806f905a9e3a4b027aef4903b03d9b421d096abede0350460756a2e90a20dbdd7548bd3b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b550040d238ae35d217d2bd6e936bae

SHA1
85e70c78c6fc9ffaafd4ea60e3ea8f6dc76e9122

SHA256
753e3cbf8eda24dbd470cb276b9802e4880bb8d0ad648a309f48aa2f7c46f912

SHA512
a208d861aa6cf94eb7300dadcf73094a004166069f83ee49db369a6a263c8aec605167e11cdaa229997b4f3047cffcc03c478bf367a61fa53e51f3c424b7209a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
cef5b51dfc24658fb76d6ba1922f2e60

SHA1
f776a4447567ad5b1e671c9c05efcbf328d20701

SHA256
87435aadd543245bdc889623dc73422bf11fb1c1f7622cdc432883b202b7ff65

SHA512
d3163fa04e6994172640957f78dcf444ba6516cd71ec813eaf531adf2ae0ff59138b8cfcbe5c3b7e15f8874a543b0d678fb193c1e30e89178445bad52cadfa2f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabBB78.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\CabBC94.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\RDSvc.exe

Filesize
48KB

MD5
4af866f8f7ea3f79fa3dce9dcfd75bbc

SHA1
aa51fe5b3fa6934f6477d5272f2d8b1224a4f769

SHA256
087ed0d4482bedf400ce0c87cee7970724be100b016192e21c717518290f459f

SHA512
6c0fd3804e738e38a5a0feeeab7712d798777c8544d4f81989182efc9e07238eeabff251c142440b1342a1ffd05073004dfbd2b607503b1fdf65b33c43f7b44f

Download Submit
C:\Windows\Temp\TarBB8A.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarBD64.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwAFFE.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwAFFF.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\temp\rd.inf

Filesize
254B

MD5
fb5c42732e146c0aa436426d16d299ba

SHA1
3fc49b822ebc78e50f2105677a01bd52fe8c2131

SHA256
6f3eb1fefb3001b431dc902b62da7ef694ec3953ae8df3299f88d1e80e60e332

SHA512
279c326747e461d9975690410cc0df902563534c783837c6a81b5dd94f783e68f89b38b23b6ceed32674cb127dc70cd551dc88be46e236a3ba1e71ce06e33c2d

Download Submit