2cd4e16967524a89bc1c47708f5eb067788323c15f77a7d54b422ee361b4907c

Analysis

max time kernel
119s
max time network
131s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 22:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

619bce7e6035edcf2e86f962df7d89df_JaffaCakes118.exe
Size

1.7MB
MD5

619bce7e6035edcf2e86f962df7d89df
SHA1

dfea977f509f6794c395c2c9a024ae2826b3b93b
SHA256

2cd4e16967524a89bc1c47708f5eb067788323c15f77a7d54b422ee361b4907c
SHA512

bd51fdf2bb9d0991ae3447db21fdfe404cb72dc1ce009ca156b4a5c5d8f816154443fa29306615de4647c521d6dec00b3fc2c229100b62a3572da3b24bbbbe78
SSDEEP

49152:aTb5Qbcgf7udEblEZ2pT/s2TYjC0ED7pDB:Gbg6kTC2zD7hB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2112	officemsi.exe
2784	officemsi.exe

Loads dropped DLL 2 IoCs

pid	Process
3024	619bce7e6035edcf2e86f962df7d89df_JaffaCakes118.exe
3024	619bce7e6035edcf2e86f962df7d89df_JaffaCakes118.exe

Drops file in System32 directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B3A83E63-47AE-11EF-8CC8-424588269AE0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	officemsi.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NewErrorPageTemplate[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B3A83E61-47AE-11EF-8CC8-424588269AE0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\officemsi.exe	619bce7e6035edcf2e86f962df7d89df_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NewErrorPageTemplate[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\httpErrorPagesScripts[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BBA75CE0-47AE-11EF-8CC8-424588269AE0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B3A83E61-47AE-11EF-8CC8-424588269AE0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserror[1]	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\dnserror[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\errorPageStrings[1]	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E873AE7-AAFD-4933-A723-564B0657B038}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E873AE7-AAFD-4933-A723-564B0657B038}\WpadDecisionReason = "1"	officemsi.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	officemsi.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E873AE7-AAFD-4933-A723-564B0657B038}	officemsi.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-ca-8c-1d-5e-f7\WpadDecisionReason = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 00eeb47abbdbda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e80707000000150016000f001100c50302000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{B3A83E61-47AE-11EF-8CC8-424588269AE0} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E873AE7-AAFD-4933-A723-564B0657B038}\WpadDecisionTime = 20363f79bbdbda01	officemsi.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "dmm4tak"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	officemsi.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E873AE7-AAFD-4933-A723-564B0657B038}\WpadDecisionTime = 80b0b177bbdbda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2112	officemsi.exe
2784	officemsi.exe
2784	officemsi.exe
2784	officemsi.exe
2784	officemsi.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2784	officemsi.exe
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE
2612	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2112	3024	619bce7e6035edcf2e86f962df7d89df_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2112	3024	619bce7e6035edcf2e86f962df7d89df_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2112	3024	619bce7e6035edcf2e86f962df7d89df_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2112	3024	619bce7e6035edcf2e86f962df7d89df_JaffaCakes118.exe	30
PID 2784 wrote to memory of 2660	2784	officemsi.exe	32
PID 2784 wrote to memory of 2660	2784	officemsi.exe	32
PID 2784 wrote to memory of 2660	2784	officemsi.exe	32
PID 2784 wrote to memory of 2660	2784	officemsi.exe	32
PID 2660 wrote to memory of 2696	2660	iexplore.exe	33
PID 2660 wrote to memory of 2696	2660	iexplore.exe	33
PID 2660 wrote to memory of 2696	2660	iexplore.exe	33
PID 2660 wrote to memory of 2696	2660	iexplore.exe	33
PID 2696 wrote to memory of 2788	2696	IEXPLORE.EXE	34
PID 2696 wrote to memory of 2788	2696	IEXPLORE.EXE	34
PID 2696 wrote to memory of 2788	2696	IEXPLORE.EXE	34
PID 2696 wrote to memory of 2612	2696	IEXPLORE.EXE	35
PID 2696 wrote to memory of 2612	2696	IEXPLORE.EXE	35
PID 2696 wrote to memory of 2612	2696	IEXPLORE.EXE	35
PID 2696 wrote to memory of 2612	2696	IEXPLORE.EXE	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\619bce7e6035edcf2e86f962df7d89df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\619bce7e6035edcf2e86f962df7d89df_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\officemsi.exe
  "C:\Windows\system32\officemsi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2112

C:\Windows\SysWOW64\officemsi.exe
"C:\Windows\SysWOW64\officemsi.exe" StartService
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe " "http://www.xinbut.com/SU/index.html"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.xinbut.com/SU/index.html"
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      PID:2788
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
51dca9c0cdbd859c4817f4a83d6092df

SHA1
314846815a3b441b3dbdaf5c91da3ef6a93d5d10

SHA256
c916e5abc6c63e48c1c000c03eabf21af2b7fbd5c531661e27c698a689034b33

SHA512
f6cbb70245c3f4820168cda9b9ac405cfbf7aa593e530afff855ea0923449f00dcfc162f6d356ea640ebe1e5b46a56717081c531f400e45cd4430cb345e1def8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa73c7913721443763572d2ef274030d

SHA1
65c1759e3277bdeeaea12f05002886ff67c99c38

SHA256
f3428093ef72d3a8a8433987d17d94a2ed32a730bf43c189d1f1fe44360aedbf

SHA512
bf28531e63453c2bbdcbd647382f3bbcf2f2ec32d1fc2bc8dfc8a2e6e3ab567cdcd3390b9f49055a6ed1433823fda6a18c991ec7714da1f1e353d207b45a6ae2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1121f0b4a70fd4d06c996f594317e6de

SHA1
010230761c7f47c908314e72db59e374420d0f27

SHA256
28bf8e32182663d2a5b4a6d3f8c0d15b824ffcabb3aa35403b3d73fe8e9d3710

SHA512
81985928c8231549ec5566d5e6da5b695f9d48e65adffaebcb0ffe98d46eb2d373402a7432e20530a3f8b8ec905231531389bb027ffdf708ff474d16c168199a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
805d3ca173472b681f98ca9b49755998

SHA1
9db654d3f19e3ce9e9198e6dab6c77dd7248163b

SHA256
4f3e43172b1559c104895a8c608db678470ea46e502b7f071db688bc449c98e6

SHA512
9211e32ab6e24a6a067f53d3e4daa82231edb87c3bbdf94df6bbd74f49fbaace6ec00563a6cd32bac62fa2aa3d323a3e6b6b985f2794c4a93780d943f8c58b77

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b86d69fcfe8289a79f5b45a083411ad2

SHA1
8be0284e5c2d046238be40ad66920dfacfb73c13

SHA256
b3bf41e1e9b6094083381b40cae660c2ba67802a05f555db688e3625e28b78a1

SHA512
01fcd2bb3f8648d4e91708049afaaf69e372aac7df14396abbb4f98d08e789f38243b644b338551b9fe3c3a754d477e2a0c56a69457d31341e53326a9c41b812

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb80a28085c12c45c79138ef7b4a0985

SHA1
64ddfda317e99a1514dbe0f009bdc184a4837843

SHA256
457de37e2d64e8ae7cac9ba381b57e41e40d8bb4f6e759dba2ff0a42ca2a7ba0

SHA512
f4a8cd1664392f82dff0f3192ed75c66d65d4d5520c971e0335c12455e4f483069071f6504b33e3f3309b9aded21fbe38701400b6912133ed5f0e704a917e408

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a84a38294e1ab1b7e21b21c2882d6c5

SHA1
88f987b590bcdde88e5dfd06d279543758606f36

SHA256
569a3b5da7eb552e8ba63d908c73b4ea9b98b37f6dbdcb8104ff3f626c4d13c9

SHA512
24b859f58cff54569fec41e5a788d1b5f963553396a30674cad09dfa823f0c50ee09c76aca2bd7ec57c2f2c0c21af4d502aaeda3f26fba7194181d204163e000

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7edfc46f33e3ff3cb4b78139deb4dcc2

SHA1
5543a4c8c9582facaa44a1b2685afe6a526ea053

SHA256
0e840be1f174bd6f2c93d65cded7efe43cd209a583280f61080423ec0a19a882

SHA512
6d0f2996bc5a4c98e523ff1953a0b107f4a0a68a82d7b6c2575f41e1d72c5cd41a08d9b16e5f18e8683b9cf398687d334b9df945af1edbd97c5462e7a330c5de

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
753cebda80c0e355a5d116d2a921c801

SHA1
16ba9d4d966eea6ed4685fd1e09123fbc1fb55f7

SHA256
0d883a51ebe6ad234f28f057096cdb104338515cb1e1627b913abd9a265127cd

SHA512
551a3f08c9dfe64561f9db6ee55378ba02942f2e4c1a5d7af6f94fa5572a4615ae793a78df944bac2d59c47c6baa783421eb03e51268a36466bbfa8eb3c03998

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4ee7847add0784cabca2ededc0f3b3e

SHA1
58ef22d8e29900317493f8a180cd46fc10d13830

SHA256
89d2889df6eddf3e097ad8bd8743220208672d29d554ac54450709dbc793bd6f

SHA512
e5f8d70f826c4b812c95c905bbeee5af85d2c9ff1efe19084b58fcb91403255a3a04a28b7467540f62cfc84a14a5318cbf84478f7a0fcac2dde43a210921dd9f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11ab56f3ca5377c934f236e0f6908962

SHA1
d064f6a39b57fad7f3dac7dac350515891b0246e

SHA256
1be90446cfdbf44cd82705398ca4403b1d34b611f3a85ab9c6f280c12d1b944f

SHA512
75258752c96a30c623de3739a6db4b18e740751aee3e0ad18f687981cdf884f2902da756b1f33cb7642d5e2a21214a22ffd7da4ddadf5deeaa8cda580f7c245e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35967ac0bfa7107da8842f9f59deb53a

SHA1
d780302115b444bb3fd4484082b258a784360d82

SHA256
81c635e3c8e7fc344f0678a2c1bc7d582e36e5f54b2e33e1f4b8a18373fe9acf

SHA512
2d202a6189b7b94f3242768cae3dfe2ffd60d6fe4943fb39cc6cb5c23603c01791fb5425049b82d4c9451fb6bda9d79d6156fdb8ba057382fb8a63974c8194a4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2559098e3aa6e42342855c4a975c659b

SHA1
c20ba6d0e2a080be4b1f6eaeae2ee6115d4d5225

SHA256
a13b01e6e7264af1b7eff58206f7745a302a49bb382f8d7db9bb372016bfec64

SHA512
02dd7a0064f26cde59bf04a8b1e0c9f2214552f5c1150c8dc5032ab773e6b31d2804f5cc3e18531906e7b8cb1528597a646ee53d9b76c60565de9ec943ecf714

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54f3a7720a8a9d118900d329c45d086e

SHA1
6d22d378adc95661c8379ba34f531d6afa353383

SHA256
670b5284badc7551d7759d5e8bcdb355aefdc463717ef0f8d47ab0c1aecd64b0

SHA512
c94181e68f0100efc2ebb78c3b9d4ae74a2f4f179d0bcbc67f0387f14b66011eb95937c2cae3e46f3f254947e13066a87b2cd5d8c6aa48fb903825cc691b0b1d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6183709c5f24b2760dc0275751e6cf5

SHA1
62b5de3dc66efa5950ef04120f59ec1991f1ac26

SHA256
31582866ca20609e215d05c90bc39fd64157954758c325cd488511aef4ec5956

SHA512
835bc13689e716a21b9f7d765f14a95f71d6e0d063e166cb2cd869e3e02a1b80466f80579e97a7b9f0a86c993de27882338e9fc04cc9b32603384b98ccc6ef38

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e2f2c3e7bf3bf4a466a7f541d98df21

SHA1
55c7051d9b3802bdef4761f91cc65452913ac404

SHA256
de0f0250771bf92d3ff0b9cc27ee9890997c59fc7b0b3732ecf15e74c637e1f1

SHA512
9691c350fcb213cc5a08c0cda1a945332c9a049b23a6c8c76b5f523b146541906f747510e4f6b57e99946d516c24267c1ca8261cf07ea8c98916875d3642cbff

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fba2f1bfa38569d3393c414e52ddf73f

SHA1
e2d90f3444f73f7659bf0b1092e2746dcc0cee0d

SHA256
a0b14d83d7a131a2aae07b702b79f4212ed0ff6a0a5fc64b52118a7d44aee8e8

SHA512
7e94af05021c05118cd0c7d59b93f20d11fe2363b77dd2e598a2324cf956e194bff8ce98ae21bd58c8002f3de383926b36e4b8554729d3720626e012106dde01

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9f92322cee79a1146d8fd13d6876bca

SHA1
4e57c005d8de293e7a0904144784458429039f58

SHA256
37d6cc73c31a75101a9b0d69a41d0b04e96d7a91fe84543759b802cace73655f

SHA512
d5c2c7d75611bb33dcefc8426a7ede5505f4288e12f0fb5ed4d36d21ba6a680133619f089506056916161684d35c3ab6ff2caf99f9941e518ada7e8f49181372

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b073994c9c4674ea63fe7f9b74584050

SHA1
c3f5b2993aa7c3984369c928db075df03940816b

SHA256
fdf0a376d34c76a13c4bd4429566ec047012fbbc6aef6e9ffda1698f8f280bae

SHA512
c9b0f9337f78a08ca6ae12d38f8c3a48ed28ec425a27ab34300886d328aeb9e480e46f86f8013e543f22a700786cb72b8f03121c6e281994874594c1168e17d7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22bb9936d6fdb923418f352e8c0aaec1

SHA1
02064df33d069e2af9da188de2835fc9bd7b9db0

SHA256
e0140bf985c0ae3fb9385498048cdeb452210e3a46727b05d00519b103617c6b

SHA512
dfc5c2d256023691c95b6e89331708e6703399af187cc21511d6b60693f870d1145f0548949832c71761f0543dfe0045a24e8da5927961cbcff765cac561616a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a8f4c604507c8a5c0e0527363d8bf1d

SHA1
28cd90bbc473627bc71c4f4743998f18458c8470

SHA256
6518c08fccdf32585f94873fdd4b776d541e082239047645d59b86643197cea1

SHA512
3e071df32f11cbb037acf8083f2f470c08daff7fe10f4d1eac47a7cebb036d1251706666edc33fb7ff38cda799043bab4b05be3a580e4006d9e53a4dd54ca2ac

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3698e23133533d3935ac5b81473a188

SHA1
26a1dee79dd420a6bcc1ac99f20c0efdf0abc279

SHA256
00beb362e5177442036480d987c1568dd36148ff98b4ab3e9a288da7215e56c4

SHA512
d0a0d7789e628bd5fda34a856f0dfcf66e338a39b6a3fce6bf8935aded263e6be6f54fc3f47a4322c511137556596a646237e289f14c834985c5e524dfd3b726

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f3af3cbb03d998453e8242267e3358a

SHA1
f31793369f06f9ad52b2045711305e3e944cf4c5

SHA256
26e18bf68f96048b528b624bbe8502bfae4d43f1f3f7127f64ae55377dd9d6c9

SHA512
68287c644fcd8f0aaf7b3de9e522bf0995c4fc09a96576164feeb61092d8648626bb294d78ac5254b10e89df2012528ec2c94eb3d64916b12bbfb144af2c8e18

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c04c5776d1d98fd7a29897a1cf00b0ec

SHA1
5b39555e3d85f757ba0cb300a69c39dc14f060cb

SHA256
7bb667954327eb015c414fa1034bf93adf5500dc7ce43bd704d23b13c05f7203

SHA512
166fae2f0b6876c4d2ee57849146ad65897cd7500ac5ca11404f6cbe0fd28539303ec7d547630e6bac8745c3e1707775dd987f0e2ac25ef117f04d20b3ce6d6b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cd7593666b995dd4c8b86817d068a8a

SHA1
c4ae8a9395cf36ac76762902b2e64e74ad17b3ea

SHA256
1939f270c8009bd8867f1a0f27dba619cefbed71551197883831de13788980cf

SHA512
db761e63000ba0aac924c63e3ede08341b99287a27dd5c9dc181e2a97c420441193f7fcd88f7c2863b5f2a33905bc39b7012b98b60a4cdb86f164230184a397f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4010d131dda94cc6c66b7df29c0eb5f8

SHA1
9249b6ccbba71eaeaa3d5788e25ef3bb5af43959

SHA256
044c1f3e80ec9006a99eb6e7e7233faff918dfdd0b9b608b28f59e243ff9d464

SHA512
9d078b1c429209ca9a362894228ab00c5f8c2bb1b6f97615d6c2157b4582bdcc1572a22b7cb35ac27297dac4288564c0e3186aea40e6f315610dee5479af65c1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
370B

MD5
1c147dc6a83a554e2b4bc5d913532aac

SHA1
9e9c9bf4661021a6b0519f029bfc39bd3149d8ac

SHA256
3a7522fecb574c61eaabbb58d338d8171c48b092b5704475efc1b8f5be4d3151

SHA512
3a2c859d4b96185ea06fa790d54a51125185ff20d244200cc250953c12272dca1329d05af2afa5102ed5efeadaca69e9691f8bc01833eff4f8ced749aa759b1c

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab6F88.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar6F8D.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar713A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\officemsi.exe

Filesize
356KB

MD5
94494e3d493bdab214e15c5305c839bf

SHA1
e1ca6656628d783151663122f5b787e7cb7e3a5a

SHA256
9121e67a4f6a8d8edf36b5cdb2e8fd4e08b3b27e5a93b106c79d77ef0f73c2d7

SHA512
9b2b791eeb1375a99516acdb46ecc61b2855bda5bc5eccc2607bbaed14fe1c7f8e7988c94c555ff03cec560c7993119bd0a241c211c1f5159fa754ae9b9ece07

Download Submit