52b534a0d448ce760205ff27755f40bde99d5c5d06c945575c23338ee2a2f257

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71adbe9e6ef3852130c23de45e3991c7_JaffaCakes118.exe
Size

115KB
MD5

71adbe9e6ef3852130c23de45e3991c7
SHA1

c26626933e09bd7b20431a07315a47fc1d5baaeb
SHA256

52b534a0d448ce760205ff27755f40bde99d5c5d06c945575c23338ee2a2f257
SHA512

b689c6eb7888e18b1fc5cbd11c18338fb602dae9c448e4a10a46183f2a2b2eec3b021caf762492f0a00e001e82698663adf7b5444e98f8d69316a4e8961dd0b6
SSDEEP

3072:2/WSXeqlB/V8XWkMmcIU8PybrRnjgxQhHZleG1Q52:qOqlBuWkM5f8PybBjgxS3eGe52

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2620	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2120	Rpcs.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3995D7E1-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3995D7E2-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4E75EDD2-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6355B5A1-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Rpcs.dll	Rpcs.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{21BC3103-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Rpcs.exe	71adbe9e6ef3852130c23de45e3991c7_JaffaCakes118.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{21BC3101-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Rpcs.exe	71adbe9e6ef3852130c23de45e3991c7_JaffaCakes118.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6355B5A2-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\Rpcs.dll	Rpcs.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{4E75EDD1-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{783805E1-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\Rpcs.exe	Rpcs.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{21BC3101-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{28113960-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{21BC310D-4ADD-11EF-8ED3-72D3501DAA0F}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	71adbe9e6ef3852130c23de45e3991c7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rpcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5B9E402C-7E0E-487C-B7F1-0C9E996A78DE}\a2-ca-3f-5b-fa-13	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e80707000400190017001a001800b802	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 000000000400000000000000360000000000000003000000ffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e80707000400190017001b0022000403	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 01000000020000000000000003000000000000000a0000000000000001000000ffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e80707000400190017001a003b00bf02	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = 20c748e4e9deda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807070004001900170019000c00e70300000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807070004001900170019001000e40002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e80707000400190017001a001800b802	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e80707000400190017001a001e002901	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 03000000000000000a0000000000000001000000ffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = e04147e7e9deda01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "5"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e80707000400190017001a001e002901	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 00a341e4e9deda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "7"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "8"	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	Rpcs.exe
Token: SeDebugPrivilege	2120	Rpcs.exe
Token: SeDebugPrivilege	2120	Rpcs.exe
Token: SeDebugPrivilege	2120	Rpcs.exe
Token: SeDebugPrivilege	2120	Rpcs.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
944	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
3000	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
2556	IEXPLORE.EXE
2768	IEXPLORE.EXE
2768	IEXPLORE.EXE
3028	IEXPLORE.EXE
3028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2608	2120	Rpcs.exe	32
PID 2120 wrote to memory of 2608	2120	Rpcs.exe	32
PID 2120 wrote to memory of 2608	2120	Rpcs.exe	32
PID 2120 wrote to memory of 2608	2120	Rpcs.exe	32
PID 2268 wrote to memory of 2620	2268	71adbe9e6ef3852130c23de45e3991c7_JaffaCakes118.exe	33
PID 2268 wrote to memory of 2620	2268	71adbe9e6ef3852130c23de45e3991c7_JaffaCakes118.exe	33
PID 2268 wrote to memory of 2620	2268	71adbe9e6ef3852130c23de45e3991c7_JaffaCakes118.exe	33
PID 2268 wrote to memory of 2620	2268	71adbe9e6ef3852130c23de45e3991c7_JaffaCakes118.exe	33
PID 2608 wrote to memory of 2768	2608	IEXPLORE.EXE	35
PID 2608 wrote to memory of 2768	2608	IEXPLORE.EXE	35
PID 2608 wrote to memory of 2768	2608	IEXPLORE.EXE	35
PID 2608 wrote to memory of 2768	2608	IEXPLORE.EXE	35
PID 2768 wrote to memory of 2796	2768	IEXPLORE.EXE	36
PID 2768 wrote to memory of 2796	2768	IEXPLORE.EXE	36
PID 2768 wrote to memory of 2796	2768	IEXPLORE.EXE	36
PID 2768 wrote to memory of 2556	2768	IEXPLORE.EXE	37
PID 2768 wrote to memory of 2556	2768	IEXPLORE.EXE	37
PID 2768 wrote to memory of 2556	2768	IEXPLORE.EXE	37
PID 2768 wrote to memory of 2556	2768	IEXPLORE.EXE	37
PID 2120 wrote to memory of 1212	2120	Rpcs.exe	38
PID 2120 wrote to memory of 1212	2120	Rpcs.exe	38
PID 2120 wrote to memory of 1212	2120	Rpcs.exe	38
PID 2120 wrote to memory of 1212	2120	Rpcs.exe	38
PID 1212 wrote to memory of 784	1212	IEXPLORE.EXE	39
PID 1212 wrote to memory of 784	1212	IEXPLORE.EXE	39
PID 1212 wrote to memory of 784	1212	IEXPLORE.EXE	39
PID 1212 wrote to memory of 784	1212	IEXPLORE.EXE	39
PID 2768 wrote to memory of 2856	2768	IEXPLORE.EXE	40
PID 2768 wrote to memory of 2856	2768	IEXPLORE.EXE	40
PID 2768 wrote to memory of 2856	2768	IEXPLORE.EXE	40
PID 2768 wrote to memory of 2856	2768	IEXPLORE.EXE	40
PID 2120 wrote to memory of 1944	2120	Rpcs.exe	41
PID 2120 wrote to memory of 1944	2120	Rpcs.exe	41
PID 2120 wrote to memory of 1944	2120	Rpcs.exe	41
PID 2120 wrote to memory of 1944	2120	Rpcs.exe	41
PID 1944 wrote to memory of 1368	1944	IEXPLORE.EXE	42
PID 1944 wrote to memory of 1368	1944	IEXPLORE.EXE	42
PID 1944 wrote to memory of 1368	1944	IEXPLORE.EXE	42
PID 1944 wrote to memory of 1368	1944	IEXPLORE.EXE	42
PID 2768 wrote to memory of 944	2768	IEXPLORE.EXE	43
PID 2768 wrote to memory of 944	2768	IEXPLORE.EXE	43
PID 2768 wrote to memory of 944	2768	IEXPLORE.EXE	43
PID 2768 wrote to memory of 944	2768	IEXPLORE.EXE	43
PID 2120 wrote to memory of 1576	2120	Rpcs.exe	44
PID 2120 wrote to memory of 1576	2120	Rpcs.exe	44
PID 2120 wrote to memory of 1576	2120	Rpcs.exe	44
PID 2120 wrote to memory of 1576	2120	Rpcs.exe	44
PID 1576 wrote to memory of 2312	1576	IEXPLORE.EXE	45
PID 1576 wrote to memory of 2312	1576	IEXPLORE.EXE	45
PID 1576 wrote to memory of 2312	1576	IEXPLORE.EXE	45
PID 1576 wrote to memory of 2312	1576	IEXPLORE.EXE	45
PID 2768 wrote to memory of 3000	2768	IEXPLORE.EXE	46
PID 2768 wrote to memory of 3000	2768	IEXPLORE.EXE	46
PID 2768 wrote to memory of 3000	2768	IEXPLORE.EXE	46
PID 2768 wrote to memory of 3000	2768	IEXPLORE.EXE	46
PID 2120 wrote to memory of 2156	2120	Rpcs.exe	47
PID 2120 wrote to memory of 2156	2120	Rpcs.exe	47
PID 2120 wrote to memory of 2156	2120	Rpcs.exe	47
PID 2120 wrote to memory of 2156	2120	Rpcs.exe	47
PID 2156 wrote to memory of 1880	2156	IEXPLORE.EXE	48
PID 2156 wrote to memory of 1880	2156	IEXPLORE.EXE	48
PID 2156 wrote to memory of 1880	2156	IEXPLORE.EXE	48
PID 2156 wrote to memory of 1880	2156	IEXPLORE.EXE	48
PID 2120 wrote to memory of 2744	2120	Rpcs.exe	49

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\71adbe9e6ef3852130c23de45e3991c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\71adbe9e6ef3852130c23de45e3991c7_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\delmeexe.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2620

C:\Windows\SysWOW64\Rpcs.exe
C:\Windows\SysWOW64\Rpcs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      PID:2796
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2556
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:406533 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2856
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:603148 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:944
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:275491 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:3000
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2768 CREDAT:209975 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:3028
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:784
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1368
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2312
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1880
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2744
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delmeexe.bat

Filesize
231B

MD5
903ac04d7e98a2a38350097712330234

SHA1
d632efc567e04c0b71245881f2410d67d1838ead

SHA256
116f68d7c3dfea4f9ad90fe1ad73cd86f87aafd6852e399e663d65dfff23862a

SHA512
96f6e8d9116e6dfba248dee985120c4dd913577c8c1081cc63fdd724bea45b44234d5d728e61f807f8fc2b71b9340238006cadb4c470c85e9b37adc2e6f7989e

Download Submit
C:\Windows\SysWOW64\Rpcs.exe

Filesize
115KB

MD5
71adbe9e6ef3852130c23de45e3991c7

SHA1
c26626933e09bd7b20431a07315a47fc1d5baaeb

SHA256
52b534a0d448ce760205ff27755f40bde99d5c5d06c945575c23338ee2a2f257

SHA512
b689c6eb7888e18b1fc5cbd11c18338fb602dae9c448e4a10a46183f2a2b2eec3b021caf762492f0a00e001e82698663adf7b5444e98f8d69316a4e8961dd0b6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
afb84be6bc558c88936a3c38c39ebc07

SHA1
05737897356e31bc0c1843a681eb9e313f918fae

SHA256
088e26137b5080269acfd06308b1a600a2f3016315a80db26ca225af9e17b7d1

SHA512
027dbce7b9288697217250245b543f53c9034f07661e817184b4e8a7339a186f34dadf64d35ac7671ea45c04ebdce1eb64b068e15045b49e9dfc3a5161a6a023

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
279d400159757c0d43d35a3feb9fcf17

SHA1
6984fb04e9e1632b15738127e8efb1400a003398

SHA256
fc6ef7cc0f26602c8d04b00472275622b309d64987d6441bdfc96aa1233ea539

SHA512
331ca33db9251ca38fc87b3a2df2fab13836082d6968440556eb439f33a3960da1c1b2c0d361f43057f545950fda4ef2448ea45e60b1e5c76d52c13e212d070f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b797a6b8c3bbe3c899c69d3eb35c9313

SHA1
22b4e355d29d8cffd432c376ae620fd5d5a02439

SHA256
4311a2571efdc3533a4fef36dd5278ca680cca5118f8cd50f62f64a3751e14ca

SHA512
828e4f965ac14a977362958f50518313408b93f459e5a3ef37c1db5b525e1fe482bbde44f8e988fb98864b90c4e95889a8d043e0254c1bdb14ba14ca99e910b6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb6a3f2535156baca84d83a8c3f39441

SHA1
d4e1302f33fc10220817e78e2da4c0bf316b4d84

SHA256
4b2faed302bfd987d9adc23edd16a019299d56753b53d0f8e97e40d41d41e89f

SHA512
1dab0b2dbc64247d00a4a5f17f7a3a73eaf54071f00ce17c23c8b6bd769087c7f1a6b800d9efd7782432645d0683b5abd1223ccf6dfbe74a8c0fd50cbcd27082

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
847dac313a2dba8c053a1f42ffde7237

SHA1
e241c6a32b9a6604804f805cd61626107206b827

SHA256
1fee8a4e1129665dd7c059d8d9d3d21083e97f6875c91169dc4dbc3845c5db21

SHA512
de11c9b1242cbaedc06347bdbce330f6b185e65f77ae0986b3b9a375563c9df4d13c7ba0c0cedf192c9213fa0740995a3fe65efbe877f89d818ebec037846f18

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f19d97a1980a2540ce132828b22e0720

SHA1
cc512b5f99fe6638abfbfe7e9dbf64eb05a15312

SHA256
8a9caa584c2c93316d2d13127fc856889084e34666296684f8668886d7da1c15

SHA512
e343cc7a16623da43717f45148dc2e7bba5fb1af28b8afb3915c9e407830c6388e8cf6b88632802cb8f79589bd3752216c53db2ba42c817adcb4083f5fd2c824

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81c3accca4d7c66c0de2b61149ea57a5

SHA1
8d1bd2c5957c353d713ab00ac5f37a2a23381156

SHA256
6c23982435664cf5095a1d4edac6df55b44cc5c242a0556f036923d040f49a07

SHA512
8ef75fd07eff555272548329fd1b922e7f9572de2735e43906f1fe2f5afca3dadafe6171e808ef32eaa5e7d18018b66ab238d0143d7279272a30f410944ed922

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6dcd9bc0024bdc2f93053b9f0f57598

SHA1
774cbf5d87168aaf0f6f963413310b4e25ce7032

SHA256
f6feeadefbe9d93abc6e9f05d82cf7e73226f83a47bfea36534cbdb2138bea79

SHA512
003143c95cf529b41e94ba55298e0876a34e5146629c526f0b4bc574610c0d723d8fdd4574992d5c3d10309fee31851f7173258aa94c3474a87dd8d1d5b31172

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f74c8a5586716e8073e37fa5b84c7128

SHA1
09369201d05013c6f9a1baa20d9575f245adf36c

SHA256
ccf43db77100a10567b9674e4881bd6a46dca2b8459a40e0cbb1d4edd1d7b7a0

SHA512
dec672ed5d37dd5ff014760fae39445543b5e7d2f5278f4e13525e10c382f0ec53daa5ecf06c9381eb31d712440ece453a7d326d2d2860b6302f4883406acee7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd8baa4d275ae56202d736fce9531d15

SHA1
adb5516a62087c95ca51b127b67dbf91ae250709

SHA256
2c8adb63ec4abdae3c90bcc280892d3da96bb15820cef96a87a7c60219b5adf0

SHA512
00be90bdc8e819a5a9094c35625772782d13e8247ac6076f778e2f2b218f7f45568042623c4a14db4fbbeabfbf68e136f0b755728a15a0f47beaa64734107d70

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf9ffdeb8aba24f1dd4df293838dfbd4

SHA1
4aba5d426ae84057dee40b5c89024605ba585aa1

SHA256
f67f4eb821b9d8803a5ceb6328154d51fe013b6fad9ce3e00661d3cd006b97f9

SHA512
c6cec9bb344862b52d18b84fada2cb09540e25067505b01b3f37da91462162d748a997824b933a38e7b77a9ba7888c7da04551d38d3c71241420e2cb00873131

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b146ea14bbc276c60611a36a70e9461

SHA1
f718ff7d0b6545f08006820873ed3d744bb4307b

SHA256
de9059802b1078b0264ed485d4a31bc081256789a43c6af704fd6a67b38df837

SHA512
637d5085667a8e3c847791bc2025b2efa5ca3f0b8999b2f443e786a97ffa36114858d174077576cfa486a32216e0a9508854d4cb1718c3b91f0e506c687eb10c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5611199046f1a6ed675ac484b80dbe2d

SHA1
aa567394e2f16ddae2438e0e27826427842c2707

SHA256
9dd89cf0b78b5855b235c83121938574271dc9a8119b9abcfa3a3385dc6432eb

SHA512
922df9353f485fe9d07fc2d026c60b384f1cd2e3b71d218b00b1e07b03055c079265ecf8f68aa7b2a01031726684b7e3dcba264c71765140039a5481418ef751

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edcbc67c0858d881822845912782cb5c

SHA1
491782c164346326e554e2bdf85f60e1c8e1994d

SHA256
bd0f9f64d4af50d39ed8e98cdd88e8206b582f36e00934952397551e57a00881

SHA512
78f642259d2eafb3280669878ac1b56fa4c44672a5ebe0e0ae5425401162d91b481c38936da79dc578af6d46fed535f9a74a66063c77b1412bfc0db1c9db203b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93a218d479d89c7e292396faa5f49d43

SHA1
6d847d84343ce46f0937b1c9551c0aea2aea415e

SHA256
aa169e83f4ca7ba9afdad3671bf94916346367a3c163f303d9a772e949ecb211

SHA512
0d773266f4f5407f236dca19da29388f75d2446a2e1de8138017c981d00f59291c2d60929da7fd74a858177966d2502eeaf14011da8761571817d3ce16972b34

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eeb5a10cc2e7b3557b654046eb494b81

SHA1
2389de4abc1f5e5815c5ba829923684f06012ade

SHA256
98a5645115f26816c499a001f82fd9e3e230541e648ac3222fd852d1c482563a

SHA512
38cfaef945a2054e6f502610210bc5c9aa7bff59af90724f30a584ca06238167e2fa098cd96f1bb343ec46796ba0a689d720b06852c39173674991b6034f0238

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2819452ca2a0e67418f7eeab596e2fc3

SHA1
655d50f14516742de2a3c0282dba9ad93f503e44

SHA256
634a0c0fd33f68f1aa828bfd4b9910c3125b504667e82e3966f794008a13850b

SHA512
84823e39bf14944bef99c26f5d6488ab42d75bc63d591897f2e5238a324b2656de8dbeece6bb02717a7b1d1f778bc73a222b259e1b4ee1982adc1417d0f3d588

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af21606dd1387e6d7a5c9b55352dacdc

SHA1
2770d6bead085cba1d3b5f04f2e59c1ff70db436

SHA256
c6b6e8386e843c240f6e794680bac31a5e0f9a5f0483d0d1e4d3cd0dfdc079c8

SHA512
74dfa90464183a54f20b8ae58286fde54173190f1c8756095dda8851ca925e858f2dfe476da19f779cd0ecf2c15016d41c13c3220f521a33c41cee664b58fcc4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38d35575c524157951dd649ce14fd510

SHA1
6bd2ffc9565e3286dea4291f78c256e770a6d24d

SHA256
3bc661e9be268aaf2359bed4a8ed2f61a7ee645c29ceb5c5cb68032eb8a00511

SHA512
4454d820dfc789799d5291df6afcc21180a9680c4dc2ca89c2f18d28d10816245922da85a02f77b00d2760f4352ea8f3869815efe89cfd2969ec9d0e45d1f9a6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d6e8829e3d13e2b579be0a2eb1d5c49

SHA1
95698f2f5b0ce4961038e2e683c546faef8076d3

SHA256
20b5cbe8bf29dc6741d0304e4c1bcf4d394b3f851e395f8db76ed96a37f90817

SHA512
f9e26bdf80f513d125994584c2ce175fdf318ed7c3c4d1542111ef69871dd107d32174c9fcd929885fbf28d0fbaa8a3363d4af071887b7d34108ea42412dd098

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8cdaa15872e768a31f956d1e5ce6ab6e

SHA1
477eff4108f10eae33fd499a382e984a0ded629d

SHA256
16047a9f77dd14d96bc46731487a86c66f44a839e85ee3b5431442a5a47e4524

SHA512
a63bddc3c81c57fc52420d6d3f0050b7aac407b50665b64bee188820d58fbd949befbe3ef6cdafae644daf87e6b6741d164d7c4950c570f7a4922f9a58f12f4e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab949.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar95C.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarAE9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwFDCF.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwFDD0.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/2120-712-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2120-719-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2120-716-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2120-710-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2120-7-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2120-6-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2120-1318-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2120-1328-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2268-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2268-20-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2268-2-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2268-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download