e0fec3d8bfcad9ebeabbaf924bca008206b5bd14c499e6a95bf74f695672bb58

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77ff8dae8b08b8581bdf7bb5d0d2cf7c_JaffaCakes118.exe
Size

1.0MB
MD5

77ff8dae8b08b8581bdf7bb5d0d2cf7c
SHA1

698bae6e8fc54fbb4620761583c43fea7909881e
SHA256

e0fec3d8bfcad9ebeabbaf924bca008206b5bd14c499e6a95bf74f695672bb58
SHA512

a1dce277eb85b5622adfd853ad01f6b8d3708f0918f2ffa94aea63f1924eb2cc73208a90cd5c373cfcd893088424beb96338598596ad90350675294549e855f7
SSDEEP

3072:CYsgk+ruvdasTt9NHhayrHlbGAP1Qm02B545g4FuB3bBo6P6We0VyOjUout:Vr/oS

Score

10^/10

defense_evasion discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 18 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-51345991"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-32316696"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-71297042"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-27425461"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\espwatch.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pingscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieDcomLaunch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bd_professional.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\azonealarm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccntmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin98.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pingscan.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wink.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SrchSTS.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmiav.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Safari.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SVCHOST.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netcfg.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wradmin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpcmap.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccguide.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syshelp.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tracerpt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcontrol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32INFO.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netspyhunter-1.2.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanh95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wfindv32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fa-setup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cclaw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet98.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe	winlogon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	77ff8dae8b08b8581bdf7bb5d0d2cf7c_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe	winlogon.exe

Executes dropped EXE 2 IoCs

pid	Process
372	winlogon.exe
3996	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3996-20-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-23-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-24-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-42-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-295-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-443-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-547-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-647-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-747-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-857-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-965-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-1208-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral2/memory/3996-1955-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7574D4D49534F465 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7574D4D49534F465 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Indicator Removal: Clear Persistence 1 TTPs 46 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GRAPH.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IELOWUTIL.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTISOLATIONHOST.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRCEF.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCEL.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTEXPORT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WORDCONV.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOXMLED.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTEM.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCELCNV.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MICROSOFTEDGEUPDATE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSHTA.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYSTEMSETTINGS.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOADFSB.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGENTASK.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32INFO.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEINSTAL.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSFEEDSSYNC.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDXHELPER.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SVCHOST.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSYNC.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRESENTATIONHOST.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNTIMEBROKER.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOASB.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOHTMED.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEUNATT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCORSVW.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTDIALOG.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETLANG.EXE	winlogon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 372 set thread context of 3996	372	winlogon.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77ff8dae8b08b8581bdf7bb5d0d2cf7c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "1546"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "198"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://rpb6x8bm42085h9.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "10079"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051c0b768fca2ba44bd953be6973682e300000000020000000000106600000001000020000000d455838d1f9b76c4fa39a87eaae9d22db604d13cba418ebed2a9fa0bdd15ea99000000000e80000000020000200000000d5dae3cbaea0dfcc7b1503efe0721f6e12304887ca27af4b11ec4907dc0abf0200000008c58129a382c869262050f13a88fb22bbbd6122ff973dd7ea70c2a2054eb166f40000000155109c3ed4f847e49f767dabdd3ef65a5f3d49e17541e428d59464c73c02f23979f7ab8fb5f54912cf1f3f922b64c538f01affa902f8bcd0f806de18d7e0d9c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tiny.cc\Total = "219"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "509"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1830"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "1580"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "11851"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051c0b768fca2ba44bd953be6973682e300000000020000000000106600000001000020000000f5f1cf56a05da26a9b3b2e37e9698571cbcb8eaec9222cdfb57340d580a71eb5000000000e80000000020000200000007d46f0a5d76d61e3caa4bc2fbcb6d47f76444cb5de77e1ad1f5d561546043fcc200000002dcbb89172599c8baa4d8f7128c8d9b38b423af6e5b45e19615542aab21242af4000000056e6a780123a9547fd8959c016c145abcb22a9a68d3cad79fa54cf2053db3fd5517847fbee1f6080f754edb8de8ddd09c2e197dd0f4de54bc5c73cd3b51bb500	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051c0b768fca2ba44bd953be6973682e300000000020000000000106600000001000020000000d08a34b0f30e91cedda7f5ce4a2c6c9245d5dd026be0079dc7785bf68a70f103000000000e8000000002000020000000eeca41d9c09402fa096e46de4cbd9a46813bcd19dc7e21ffaa5d9ef1d210b07b20000000dcad62d90a45bc01208ca2342793fdcac36d37ca6f9e920b838cc0c138d932774000000021aaf7509137712a5ba1bd83d64804444bc8557d14898f08e4d9d6a4a5b779924445258c9b785b6bcdb97255d839cb45a687dc0691a0f3f7f123e901800f2979	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "1703"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "250"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tiny.cc\ = "43"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "13347"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051c0b768fca2ba44bd953be6973682e300000000020000000000106600000001000020000000a567babc5551f56b719166c30d8dff88a2075306e7ed3cab6f054aa3f75ffa34000000000e8000000002000020000000e22f42370c32566da1d49724c5a1ef96b307c3bcaa973d6da387d369cd0a506320000000b2de649c4f4fe366288898857aaf53d74acc9c55a422049db9ee23fd255e459040000000db7d1ef485ddb3fedb32e4c43fc4025ca7e6b5c2a92ccd81d227c38b6808955adecec04dad1d4c9cf057f2a9b617b0db6f5cb7cec364cd2ff88800be3fe6c83a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051c0b768fca2ba44bd953be6973682e300000000020000000000106600000001000020000000020fa6f043ccf36af2e7be6621ac7f10114288f045a003371892ed3fae1060ca000000000e80000000020000200000002a8b4c5b7feee5c5b5129cbc92fb42adb14f8d5277fd054660864117821d3f0520000000eb7306671b89c81e96027953546485f87e3c31245e8b190004adade9f3117c9440000000942aec7f75ecd086ecf47a3ef691fb99dcf337d61ff5012606805e9d0d10d64c97085a50009691598c582cde0fcc90f8d1bc4068fbfb6f77d7d3b373d544cbdd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "1615"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hugedomains.com\Total = "32"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://e55m8e096ha3pi0.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ae1d435fe2da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051c0b768fca2ba44bd953be6973682e300000000020000000000106600000001000020000000faac672f242da07ab4d99c3002b6ace700ba85d7624b25cb3b2fe1d7c3135f96000000000e80000000020000200000003b82f4ca6693bb8977af4b0462bc33f671a05e75fd74bdbe0c804d5912463a812000000062d8cba544713cc0c90f26a35753bf2d001db63ecf52c2253175e470460c4a37400000002df619505e69e9f695d3d0ce4fdf5f3cebf0b0d660b2f60c33b8236afa2ba417eb83920335b001312b561f3e54697e7b266013357c640f1092ff0d6623d407c1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\DOMStorage\hugedomains.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051c0b768fca2ba44bd953be6973682e30000000002000000000010660000000100002000000047aaedd58df70a053ffaa22c4bcb64c0b63553af6ad9823c4e5aaaba55182f91000000000e8000000002000020000000961bea264708ef1c01174b092c20e7d27aba7402cfdd0dad831b948d045ccf312000000004338ef4c767bf928b7dfe20416ebc3558fbb36be1fda1cec2dcea9697fdda3140000000589ec9507ec588807dc764749802d289edb31d6aceabb6905f7f0bae7ea85ef9c43c6a0f135f2812cda47028bf32af7b5f7f5e4689d4969af9d7f6cc3a92eb30	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "510"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "282"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "1697"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "730570233"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051c0b768fca2ba44bd953be6973682e300000000020000000000106600000001000020000000c20df80566e8680d0b7c120e46d9c00c0b56795fdf064eeb36831dc199a79a4b000000000e8000000002000020000000b6a21d445439df7253ffc4ab614043470c6460b0f1f65b111a9aee548225dc782000000096f8076f93e3fefbe24e55cf8191f65b4edbf692cbae56c5d66844e9665b3db1400000002c120922d676e44c16372bf07b9fe49c30721d41f16889fd88ea5eab8c4cb1aec9bdcdd14e68c7e9b632f3a6968eca0e2b8b524484ada1833076bf21e19d6ea2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "1582"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\hugedomains.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://u1ogcqyi6vulbj9.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "1582"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\tiny.cc\ = "180"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "1697"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051c0b768fca2ba44bd953be6973682e3000000000200000000001066000000010000200000007a7414614e9ad95abffa553034960b37b99b20f41e5e1fbc75eb59db6bbf9ab5000000000e800000000200002000000096f59a9ef531787f5f763d3c5a94b23552151474d8441eaa995f948231b740cf20000000d420bc907d3879cfa26901b0611a291576e618d5271f6735f71fb430c4a3e023400000003e635e6853594442b788002e6e15ce535ba0f336db251e429d6260552853659009b92b72d2a5385a42ad32916f4bf26faf3d234375efa82474a558652e9b407a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "13117"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "1701"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.hugedomains.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{573538F7-4E52-11EF-8956-DA1D1A3BE18D} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "197"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\youtube.com\Total = "10079"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1599"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "11204"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 105c506b5fe2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "6"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "13430"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31122015"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429095077"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.youtube.com\ = "13035"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://uxb52x4kyq7na0a.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://390p7vd9tqmn1eq.directorio-w.com"	winlogon.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{26EFABA5-B903-4804-BCD0-FE6363B1E8AF}	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{E71AF9E1-F3C0-4E88-B54A-AABEE1DDCF67}	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{002E3B0A-8AF6-44A5-8BE4-D765410D039F}	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe
3996	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	3996	winlogon.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3872	iexplore.exe
3872	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2080	77ff8dae8b08b8581bdf7bb5d0d2cf7c_JaffaCakes118.exe
372	winlogon.exe
3996	winlogon.exe
3872	iexplore.exe
3872	iexplore.exe
5056	IEXPLORE.EXE
5056	IEXPLORE.EXE
3872	iexplore.exe
3872	iexplore.exe
1676	IEXPLORE.EXE
1676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 372	2080	77ff8dae8b08b8581bdf7bb5d0d2cf7c_JaffaCakes118.exe	85
PID 2080 wrote to memory of 372	2080	77ff8dae8b08b8581bdf7bb5d0d2cf7c_JaffaCakes118.exe	85
PID 2080 wrote to memory of 372	2080	77ff8dae8b08b8581bdf7bb5d0d2cf7c_JaffaCakes118.exe	85
PID 372 wrote to memory of 3996	372	winlogon.exe	89
PID 372 wrote to memory of 3996	372	winlogon.exe	89
PID 372 wrote to memory of 3996	372	winlogon.exe	89
PID 372 wrote to memory of 3996	372	winlogon.exe	89
PID 372 wrote to memory of 3996	372	winlogon.exe	89
PID 372 wrote to memory of 3996	372	winlogon.exe	89
PID 372 wrote to memory of 3996	372	winlogon.exe	89
PID 372 wrote to memory of 3996	372	winlogon.exe	89
PID 3872 wrote to memory of 5056	3872	iexplore.exe	96
PID 3872 wrote to memory of 5056	3872	iexplore.exe	96
PID 3872 wrote to memory of 5056	3872	iexplore.exe	96
PID 3872 wrote to memory of 1676	3872	iexplore.exe	116
PID 3872 wrote to memory of 1676	3872	iexplore.exe	116
PID 3872 wrote to memory of 1676	3872	iexplore.exe	116

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\77ff8dae8b08b8581bdf7bb5d0d2cf7c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\77ff8dae8b08b8581bdf7bb5d0d2cf7c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\E696D64614\winlogon.exe
  "C:\Users\Admin\E696D64614\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Drops file in Drivers directory
    - Event Triggered Execution: Image File Execution Options Injection
    - Drops startup file
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:3996

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2316

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3872
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3872 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5056
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3872 CREDAT:17436 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
6a104a1a07977722f3649456065d627a

SHA1
e26c236645613c60121c96c0c3715e806a1bdc7a

SHA256
07da536eef31d930c831d7fe1c998cc2f48b87c5e2ff883ed641a63e5987fcfb

SHA512
92d65d0bf1f5a67f0619b1bb3cc1c389deb2aec1351938d9b32da322144bd5bf4e15c8e655f31d64e4f0a4523f4ef7556bcc046504adbaa71ce8ee096e5fb393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_2684244D836539E46881612FFD50440A

Filesize
472B

MD5
8f008b73c9566699a495e065ab2053d4

SHA1
b2624f35acd2a64c6ed5135a2d5110208f09cf03

SHA256
8efdd34fb5db087e6baa304a0f0ce8bd7911899ef6c25c987508bec6de2fdca5

SHA512
ea2ee7c835a218106fe36182a06f12cfdac6863a88ea0561e369f2c1ea3b6126ff0df4585c4af3dc76930e80fe7644b50472f88d5736863d59cbc1ffe44dc7a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_6FECED388A0018EC91E0052A44417642

Filesize
471B

MD5
aa9a048f0a60b87dc416da6f84a91b86

SHA1
244e94b4ca23db399d2faa35afec7bf65434a52d

SHA256
2db9c01bb6e36c9e2f5062369f971c4d392c34b9f335eda20c451f20b7cf581c

SHA512
079991161abc73f0c0d0f8adf9445e58e7ceabad91f53791667d0994cc5fce8d5f222aa61adde78198520267ad4a64dfb5690958374a9e30f873bcf2d820760e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_C8148947EA6156316FABB48A14CB47FD

Filesize
472B

MD5
5a0cd94d097008090bb9d1dd745783b1

SHA1
419ef3f08990ed25604ccb0c749486cacb57dbb8

SHA256
d2f7595faef3d1296c4e12c8fbf560974beb986a8547996955c3c592165e259b

SHA512
518ceb8b5217904a552eca3e5df5012b2c4c9f30bd5c7c6051b90a71b1f349a09a8a3426f15d5d826758e6add6aaf646b5bfaf150fa80651b0d7bfda921643e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_CD726B3E63F3B047EB7AD9C60415612D

Filesize
472B

MD5
df547fef2fe47011ea1311eb8e930329

SHA1
cb00ecc22b3c4b47efe5d8bb3ca24b73a68f46f0

SHA256
184029dae79a449328f218862bd1313ae44dd4c0f33fe6babba045aceab7754f

SHA512
42a7acdf827f2dd516577281435b38f7f41da0c2add2e2e5199b2cf2a5ce185dca5a172910e432b01d63beebfbac40dbc5cbcf0eb807302f8f9d10a350fd46c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
836d92c831135ffe10d7c33fc0c3fe66

SHA1
d38e2b40f4d06233d68e9ed9c6b8116ed41d1454

SHA256
bc7e6eb403f7ff1a2dd37814d4455a399951f876f476f79e10d265079edd597e

SHA512
8a340719a6d11436e3962a174b2e541cb6c5d6461e31de346f4925c47397a8730476564a8aa8f231560fb7a5e475bb143935a36060d98d35817aec4b9a97a596

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
4a7ed5eea973f09cffd7f74a8626e02e

SHA1
78c8b11412bcba5fbf01945aa97638e93f02522e

SHA256
e95437b55d78f636e619f2a44737726fafddcab99209e355947d63ced6d6ea4c

SHA512
2531568324b30755e42ccb044425054084ab59e562ca79df32c5e535814338e41577b2814bbbf8c9205f3d7b14271c0586d9815e258d6f44d8f7752ca9d7abfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
0202c056e727363fe62e0f4e52046042

SHA1
a73a233815f63c922992852f82b78dc714cc101c

SHA256
d4a0a7f4d37b783ac6807028ad2c7f6b8d088da63d0a25168b9ad9bff1a2731a

SHA512
54c5f9f330978439cc2e166c48d75e450dbc1cd377b84699aefc42e36d18bfefd1e9ecf262276859d28d177f3feb9dac8da12b3deaaa328563833a29ccd4e77e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_2684244D836539E46881612FFD50440A

Filesize
402B

MD5
a99c8af0e4bc5fabfbc04c60eda980f8

SHA1
7b4a5c4d5e14dcfd401ff5f7d943b147e385a5e5

SHA256
e6da15d14ead58e42d2fd94519f2fbd6f626cdd7935259d2632a1084913662f5

SHA512
d1dc3d9882aa930ec70a9d29055087af7f0754c7a32c780293819db3bda7339c6dedbc3f217a76c93285568c076fd0f2b0dcab82e3d89c449e00156e121d362a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_6FECED388A0018EC91E0052A44417642

Filesize
406B

MD5
7486d371abf192aacbc4b3f9b1f1bd19

SHA1
0afc5179e081b07ac842e0c9f94ea4f0ebbe0510

SHA256
f5fd4ccb8806688e66fefd3a97bb2197c92d75dd289adc6f565d45fece269962

SHA512
f66bc5b2ab32ad5125d3181b00e243aa13cb68f0b98ade1495614d25f90348319cd78315ed53836930e677dd8c06d7d8a0fb395e565d3f09cd1946cc2f93718d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
dce7fa399dfc6c334bb2af5ba9271ef7

SHA1
9fe9c39e18b641d0408576c71dc4f8ab25115de0

SHA256
670a333445661395698446496ac57d4b0c19f3f3f0c1f2865da9b4e969637224

SHA512
72ed49a61889a87a746587a5571cdc242cafd8e6c3f4deda052252573ad3c78139d2d3b0b7d71e532e1388497a9f41db304e16c62d77454525ec5680718544b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_C8148947EA6156316FABB48A14CB47FD

Filesize
398B

MD5
96650616c3f61005b14f6cc7ae67918f

SHA1
54bcfda85378a6b1f26ac5faf271ce5a095de967

SHA256
4b18f069e91a6e82f051f60487cf64cd46a22bdf18f1ba69c677b3d6a0706fe9

SHA512
aa64e48f5a91d2e5c260730ce8b45474ff98794b4445ef23b606292bd9816ac90a63a5d642456f00ce4f1d6484ae2e19b7cb88d1e1efeef43909db2ffe384af6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
ea86312c01027711607abbf1d7d45ec9

SHA1
ca952a0b66466ea60987112d89b343052fbdc0da

SHA256
e5f765f8b788f27130734b3859630759955939518081e0c49c7dc81f8a680e70

SHA512
b2f864443e6b41507edc348d8528a4c3884ff93bab3ca169091c25655043bc858e9762bce2ff4c8d8ff04758d19a144cb1c55a24eea28ebccffaa686375815c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_CD726B3E63F3B047EB7AD9C60415612D

Filesize
398B

MD5
7f5f953988a1d13b95dd21218e9ab686

SHA1
106ef5a1fa89501724a46dfe5ada235e7dcd7fda

SHA256
196f6992ac109eab7f0ecde3cb7d6da7b0dc9969d1c526ee02dbf4b751feab90

SHA512
57c89bf0627a9f5692e69630e552c5eb4b8d4dec2a27fa75e3cc45c5cc5271d4be38927574de213c27e1c862e8d90d0cb5681510840d919800de2d04d627c5dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
a080f3112a4dc83da36fa26387679f1d

SHA1
3ec95423a5ab687ea7eb1a42078d72e5679d2826

SHA256
636eb1873f426da3a84c75c7fd76e99631128b776329b0d81cea6b3e95b017a3

SHA512
a5182b6827f19943841297843fff5805de47878408a971ec859c8c53ec35f80bc8101996497d4f4a6602ceb5f5aca7c4b2c750e4433507c9534ce874fa0ed036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\7WR0ID6Z\www.hugedomains[1].xml

Filesize
116B

MD5
90846fd353da752444aa77defcc45e63

SHA1
f06e9f070adbbfdd1b27ae17a59884870ff65a80

SHA256
5fb0521b3c31564aa6b0a0dd2f9891d1c3a1631a8f125712c609c0b7b64b68b9

SHA512
fde9b9bb888f9f4bf7bcdc1d11024b448ac8f96044c4c2f4313226dc206e1e2239a8f7849b6f2b02c2e30fbff3db2c03296f546604961b55437534c113f9b3e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\BY9DP54S\www.google[1].xml

Filesize
94B

MD5
dcf44bcfb96e82c445099f6f21547ade

SHA1
6b80a3d8b413a318e21d2dd861df2ec9459c9507

SHA256
7e47149eef0742f252ef561be8ec1c7c66c6db0941735b7047900fd72a056451

SHA512
4d9ba51d15a7eea651f4bd75a33a66a26ca8442bb8e07fc993d64301876aef6e1b09fd73c5691bdced0abbba7e976f604d586ecdedd7773266cd043e65d67cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
2KB

MD5
98332d46b1e0c8e9a63388bbdb64cbfa

SHA1
3356f91e291ab2ff55f54506d800bb490deeeeb6

SHA256
812df1ab972609f692e024dda6277684a438ef6e1a59d3557bd11c86ff408e2c

SHA512
d7cd26e62b7a72ddd6f87e785befd71dc236606f9d2216ff7d87bfd3c07cc65e84ead1f96c6c41bb7dffb928b66eb08a3e00adf207fc4bbb8a7f3c5529227bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
16KB

MD5
7125a7301c080f9e3c6255ea32da1634

SHA1
7e18df4409655e5af85bca3a9f193ae10ac7e78b

SHA256
7adb5d5ef0d5543f983f297662b06b3ea21dc860303743576bf73e9721f0e52c

SHA512
65ca01cd8a9301150edba7ce74c00583feeb5d86556be0c5d3946117666440d0aa42e1019d6be0338e910956deb92de72c34d2485e72a1c12a423e91d563a7cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
2KB

MD5
9094523dad1c6c397e69ff29c8643f36

SHA1
7b3e2348382168fb108c1ecfec58bc6c1ca75d9e

SHA256
69442bd79b7ed832cbaafb63a59e8b9c0b53c299dadaf14a50c55fc9e62de563

SHA512
6ad182a85f2c73958f671870cb8ab29424fb5ce751d9dee711c65c98f225e6a05680dbf81f5a9d281edb74963c2d2dce367fd3984f8966be9ae0e706b832b00e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
438B

MD5
d9d58a9299c421f56cc98f530ca49364

SHA1
9fd5bc88781e1cf1e8bc9da58d9e5aa418e43bc8

SHA256
4ec422e24d8841c70a2003ad2997bc9e287b25fe5c40d4b238df70768e8d0739

SHA512
bdea6b681b5a6b80826a8b341f68a28fca8dea08453ed293585ffc83faa9ee4efcf5f05486faa01854d8e8d7968d8c6a4976c8c802c9c93287469e791cd0946c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
2KB

MD5
48eed18f4d463249717064816c8225eb

SHA1
25e309dd39f400720f2863287a68446ba1931640

SHA256
dd75f7632061f5207324c0ac62ec1044cd44cfb1f948db418f1e98d8ba2ee477

SHA512
e990870e8d62c5f5800702676f5922b1a9bf78d9ee66fa9a7d86ea635ca423b5674618f787eb6454cc36887e017e1fdc23b837f1de922b5f92bf5367b0d5560c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
2KB

MD5
1355383192d02ffa92cca5372cac72f8

SHA1
2d31d942a2b0f04130bfedd730f49a9bd4ad7e29

SHA256
ca52f5c636f5294cd493ee04b2efa8d64fc61330de137606fb47ffe640b7bbce

SHA512
1338140f88ced59cd8f1a38ae4471c8e22d663a92f8dfd04d5fbe9a983ccba5875f64981fcb806e51152722eb55303c090e40530dd70fb8f85aa45ddc86052f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
2KB

MD5
25b5ad182478d7c2afe7a5fe30f1a9b0

SHA1
2692032861a7fcce2bd4e60a86a03da82e0557a6

SHA256
0b790c7aca4929a1bf10dd80ae747415f8d068ee6bf30ff6711ec5ebba7db49f

SHA512
cd53aa5fe9a7c6690d32b439b48b306b2ab41f7a85dc470858fb91ff78b14964ffe335abf1346e2b1729e8987f836c92fbcd9f29aa06fd62ded4230eaaa41676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
19KB

MD5
008e57f5a87104b80a47ff9dff588b31

SHA1
d97be6b0184529d222535e93f1da41cd39935c32

SHA256
08cb7f3b90fe619d21879d6b47abd18e08c87717c011d1865d4c414c4563d9fd

SHA512
8b61cbef0fcb99f9ed3c2567d36f5a15603d4e9c0e55f191a811c4c54650d211f2743b229cd41e961806e95ca2b5bdab51c0920ed2c9bbcd252202d8021c8224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
21KB

MD5
b253b0eb520dcd3b2415c15c7ed5f10c

SHA1
5e065ce27694c5f923ffeb6452c0510146484022

SHA256
5a6a98ad3f136aaa1da42574651fce3b6597270c07880e511ebafda247f20664

SHA512
15ea098c12eff264c4546308ca6c88cca07b39ebee316172e52f679c1d0b93f9d76d08deae829261bf503b73528671a5d151e357d6990a50dcfe1b75692e0cce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
15KB

MD5
9eae2d1e8ea80c53cb923eabad600416

SHA1
b4ba7b37750e08cf22d956049392c33c5ec0801d

SHA256
2dc9d8ba4be153541d8890d36b73640feade03e4d10b4f64c7f9e57be7b73534

SHA512
e3e73912def4a66b8ff71efee79c55601e0ce3d9b2461836690f6c499e3e87dc9132eeb159031f069006be2469a92ab32d13748aa9f07ac6d541c1c91676c48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
438B

MD5
27d67ae30dfccbda3041891e478dcb71

SHA1
f1a13c180303338d5d1c0a712824a5ee3747b182

SHA256
b82c7c2479292664ff083143e1178300a5399fbd2d17d245f59a047dcf1b7bb8

SHA512
21c8c4200d1c73d09819126ac7cf05e4eeb037c0e1fc09ced34b64b332fdd25165deebfced61abf3e4c3e20689c77440b6f19e04dd6354aba96d182652bc6df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
575B

MD5
b1e574614e0ba6ec775b61ecf535d6b8

SHA1
73fe382be07d987e04bf0f5e13e54de4a270a4a1

SHA256
6b6d101daa7396300a31110a466ada1eb97ae6781c54de6b6355f3b61d4cdf26

SHA512
3855e1f4871fd1b2921000834a72e3ce980a239959f8f7e174ca784ed64ee847cb81bf32d83c8a161e5e7cf44a83d3340a90307f665dc55752c17dbd41a3eac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
2KB

MD5
f4ad5b8c662233dd73c2749eaad31ff1

SHA1
e81c32864aef0c671cc54b46e1306bfe4f38cac3

SHA256
2a84efdd7cf22548fb6676fe1c573752848fa7b59ca4abd4b9bbc96c8c4c7ca4

SHA512
132d38f8870a50822ab1d545d1e3d3e471fdf0f8ca1b7b94236eb0d077293b6c6e6c5a75a0f09ad46f943f8e448740e4d8a271ff326f9baaa2cf24cfb180c29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
575B

MD5
a0707792f62154b4329589fc369a25a8

SHA1
8903f16b3ccd263a89d04313b3e6e66e73694753

SHA256
51c60779901a325dc7d08860cd041d02a465b20672b60cf10debdbb35e0ac400

SHA512
d03f8dfae861a27baf83a67c57ac8f08cfeba59333d2003b55fa8647a43ef72064d72b2e4b1aa6bf2045050de931d7364b17cccf717cfe274059c0eb0a490ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NFQ3TLE0\www.youtube[1].xml

Filesize
2KB

MD5
de27aa3e230d28ea0cfc171f96846cb5

SHA1
85ce1433f9a4c32003c483dc183260672218b084

SHA256
2e9990c8eeb8520d344fe9cc319b6c848cb208b381d555d6c79fd74508592566

SHA512
49eb037a79447dcf0449d134acbe9f433e998cfc02b55f1817e6062f3c22cf79e31d55095851a7969f268d8bc98309ca4233fee4eb72fcb5f0939666242bf1f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\AZmawUnBjeS4tv-yJel4MSA3UkbDC8sKRCiM64fOhhQ[1].js

Filesize
54KB

MD5
a381f2eb4da0900b40e51eb857515d3c

SHA1
3dea82df6f85729a170d68eb6b81c7b6dc651704

SHA256
01999ac149c18de4b8b6ffb225e9783120375246c30bcb0a44288ceb87ce8614

SHA512
7db34abf2c3144264bcb4324354f739e9a41f5aed24343ad7020a56c912e64b51f4be7a274fa67ce0322a6bbf65e139ff8ddb7cb3e436a8970442c4d540e0c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\KRkEAc8xU6vBmfhqWcqEwWKoQA0wmYHxze0p1ZnCdn8[1].js

Filesize
24KB

MD5
a049b112ffdfedb83481f11cc8e8c096

SHA1
f1fc30350353f88178f613e6bcd5431e81177ffe

SHA256
29190401cf3153abc199f86a59ca84c162a8400d309981f1cded29d599c2767f

SHA512
766c31dd8f83faec900a2f2bb87940c0623514b0b9c0bff430c73634811d48ef9343e17162aa6149afdd9d5222287690af33b03f4c041e2a26e0cefac303e7de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\d[1]

Filesize
23KB

MD5
ef76c804c0bc0cb9a96e9b3200b50da5

SHA1
efadb4f24bc5ba2d66c9bf4d76ef71b1b0fde954

SHA256
30024e76936a08c73e918f80e327fff82ee1bd1a25f31f9fce88b4b4d546055d

SHA512
735b6470e4639e2d13d6b8247e948dbd6082650902a9441b439ceacc4dfce12cd6c9840ee4c4dcb8a8f1e22adb80968f63ace0c0051811a8d6d1afb2b3c68d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\geo[1].png

Filesize
2KB

MD5
d690e7ca1d1e245a00421f46d6bb361a

SHA1
a0e1e032366440d721fb91a14839a4ed2bc77ff3

SHA256
5a5513105fb8a11a2522ab5f69bd6bd86321d77623d3169d8599641bab053543

SHA512
d42a491a15fac8eda60d131ed051546734788854f3152b5768ca7ea4b4b3c8c66c30e31752beac66816f1c291a54d7cd37c12d8019ebff25598228ac24cee592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\jquery.fancybox.min[1].css

Filesize
12KB

MD5
a2d42584292f64c5827e8b67b1b38726

SHA1
1be9b79be02a1cfc5d96c4a5e0feb8f472babd95

SHA256
5736e3eec0c34bfc288854b7b8d2a8f1e22e9e2e7dae3c8d1ad5dfb2d4734ad0

SHA512
1fd8eb6628a8a5476c2e983de00df7dc47ee9a0501a4ef4c75bc52b5d7884e8f8a10831a35f1cdbf0ca38c325bf8444f6914ba0e9c9194a6ef3d46ac348b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\js[1].js

Filesize
275KB

MD5
5e918d09f69f5f276d7a2f6e106f4571

SHA1
c6081c380ec9abd977bf0ab848a9829d27982d49

SHA256
be82584e6f59426244cbf50e294db78391cb7bd3e6b9dc43d992adb3d46fd69e

SHA512
7d6f06bcd21d160b9e47d4c239fb9560778e57973fe4284629c4478493965712f7327b7a46d5184921773b293e2015541b7255dfc89394d2950b2e1ca233a919

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\logo[1].png

Filesize
3KB

MD5
f988bb4ef8b8ffa55ca04841c9056312

SHA1
52b0d79df1da68016157367c5de7b1c977bce0c1

SHA256
bfb7ccbb51dfdbb3b540b8da2ca6f7f34c35d028137e67a0017d7e3da5426703

SHA512
db3b6bfb59f09758878d6f55d3d6728186e00b13606b6340fe07b80f0eb2e45fe75f4cc51c12e9f73db468729d973f305bca9e1dd90a35f42a70a1552523ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\main[1].js

Filesize
7KB

MD5
9889cd73306c29d8e93a3f55f10ac988

SHA1
4c9c11750c84da1b0c36b817d01d3e9ad8ec2ab0

SHA256
7dee14315fc3060c56abcc2c29b073956ab3066f8bcaf86f403408585740cca1

SHA512
19aabd937a46c20f8e5361978b34534e1d6ba982671c5f433d321d1a2fa01a9a0167e11a8f82d8d45eeb54483d3a32fafb5ceca518db4cf01c8fcec44899172f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\o-0mIpQlx3QUlC5A4PNB6Ryti20_6n1iPHjcz6L1SoM-jCpoiyD9A-9a6VQ[1].woff

Filesize
16KB

MD5
642d45886c2e7112f37bd5c1b320bab1

SHA1
f4af9715c8bdbad8344db3b9184640c36ce52fa3

SHA256
5ac87e4cb313416a44152e9a8340cb374877bb5cb0028837178e542c03008055

SHA512
acda4fedd74f98bcee7cf0b58e7208bdb6c799d05fa43b3fb1cd472e22626322f149d690fe5f2cdc8953244f2899bebe55513b6f766a1f4511d213985a660c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\phone-icon[1].png

Filesize
705B

MD5
296e4b34af0bb4eb0481e92ae0d02389

SHA1
5bd4d274695c203edc3e45241d88cda8704a9678

SHA256
eada6e51071e406f0ec095cdd63092399a729a630ae841c8e374ff10dca103aa

SHA512
0bed089f0ac81291a532194377acde5beafa7763f445e80c3eaa7206740c582dde843f65b5b3885d9b2e34610b2eda45885c8d45c31408761adf4f81f3caed1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\reboot.min[1].css

Filesize
3KB

MD5
51b8b71098eeed2c55a4534e48579a16

SHA1
2ec1922d2bfaf67bf3ffabe43a11e3bf481dc5d7

SHA256
bd78e3bcc569d029e7c709144e4038dede4d92a143e77bc46e4f15913769758b

SHA512
2597223e603e095bf405998aacd8585f85e66de8d992a9078951dd85f462217305e215b4828188bf7840368d8116ed8fb5d95f3bfab00240b4a8ddab71ac760d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\responsive[1].css

Filesize
66KB

MD5
4998fe22f90eacce5aa2ec3b3b37bd81

SHA1
f871e53836d5049ef2dafa26c3e20acab38a9155

SHA256
93fcbfca018780a8af6e48a2c4cd6f7ad314730440236c787d581e2cef1ab8f8

SHA512
822158dac2694341f6cf5c8f14f017ac877c00143194d3cd0a67ffd4d97f9bf8f2305e33b99fa12f62eee53ba18029541c0601ea5496ff50279d1200cfa03232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\script[1].js

Filesize
96KB

MD5
28becf0e5ce8d65f6f9e33e5954a1a79

SHA1
69d67a8f41d803b62218f02a28ebaf53f32e072e

SHA256
c59fa2847d6798cd7b5ebbd9b7832eb95e6b8aeffff195d3312ac7094049ac50

SHA512
3d6734183f99b73e5bf6097f2f388ca83ca7d20a849b77c871e28c2cd3e65d9fc0a020fbd349b08bbd916493089396386623d695af964a6a1f273429cca1ad6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\t[1].gif

Filesize
49B

MD5
56398e76be6355ad5999b262208a17c9

SHA1
a1fdee122b95748d81cee426d717c05b5174fe96

SHA256
2f561b02a49376e3679acd5975e3790abdff09ecbadfa1e1858c7ba26e3ffcef

SHA512
fd8b021f0236e487bfee13bf8f0ae98760abc492f7ca3023e292631979e135cb4ccb0c89b6234971b060ad72c0ca4474cbb5092c6c7a3255d81a54a36277b486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\webworker[1].js

Filesize
102B

MD5
487a5328afcf6c20ddc11ca1b46a4a44

SHA1
f37e030501a0a3ff828bef96481ac1c71043999f

SHA256
de9539c3628315c1a7d33dc3e09dd75767bce3868c188cdc7c90ff207da0fec3

SHA512
71e22ba1a7bcab2f7ddce3153eee1cd961de32a9000c94a59f097cecac9918e94b4cfbd944081a1df4a594f20193bcb39fa7323b3e519e5d5956c342908dc53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\530HAD4Y\www-player[1].css

Filesize
373KB

MD5
e6b015bf9cd3ad93f69bef39621808c9

SHA1
a4d6ad61c8803a111bbabc026c00916077130521

SHA256
ed5e9e73ebaa88d1d46cb44d0340a9c57239a0670751196f0e53a791e717ccab

SHA512
81f37ddb55516afa71757dba5570a201d27f8bdc78e2018d95b3e3ecfae86a823c75c840f63cac35b2408daf877c0373b7bd426a0c27f048ca0ca68db5d26660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\KFOlCnqEu92Fr1MmEU9fBBc-[1].woff

Filesize
19KB

MD5
de8b7431b74642e830af4d4f4b513ec9

SHA1
f549f1fe8a0b86ef3fbdcb8d508440aff84c385c

SHA256
3bfe46bb1ca35b205306c5ec664e99e4a816f48a417b6b42e77a1f43f0bc4e7a

SHA512
57d3d4de3816307ed954b796c13bfa34af22a46a2fea310df90e966301350ae8adac62bcd2abf7d7768e6bdcbb3dfc5069378a728436173d07abfa483c1025ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\KFOlCnqEu92Fr1MmEU9fBBc9[1].ttf

Filesize
34KB

MD5
4d88404f733741eaacfda2e318840a98

SHA1
49e0f3d32666ac36205f84ac7457030ca0a9d95f

SHA256
b464107219af95400af44c949574d9617de760e100712d4dec8f51a76c50dda1

SHA512
2e5d3280d5f7e70ca3ea29e7c01f47feb57fe93fc55fd0ea63641e99e5d699bb4b1f1f686da25c91ba4f64833f9946070f7546558cbd68249b0d853949ff85c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\KFOmCnqEu92Fr1Mu4mxP[1].ttf

Filesize
34KB

MD5
372d0cc3288fe8e97df49742baefce90

SHA1
754d9eaa4a009c42e8d6d40c632a1dad6d44ec21

SHA256
466989fd178ca6ed13641893b7003e5d6ec36e42c2a816dee71f87b775ea097f

SHA512
8447bc59795b16877974cd77c52729f6ff08a1e741f68ff445c087ecc09c8c4822b83e8907d156a00be81cb2c0259081926e758c12b3aea023ac574e4a6c9885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\care[1].png

Filesize
683B

MD5
92fb833b653eabd92e27c6efc5aab3fe

SHA1
95d9db7a7478a820c99184686b1677ed428e50ad

SHA256
648a2af4c5486a91b68bfa1ee8b60a8136410fabaa602d6e593852fd9d1d3ebd

SHA512
955c38ba8dbdd20a6df9807993c342124c45e21cb6075eeaf339fb66aaf64a2239a92fd415bce3109efa9c5bcd4246983626a1f75a5dcd3d720fa6938130352d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\css[1].css

Filesize
530B

MD5
1e7cca7a1b89ea2980669f4adb65becd

SHA1
62da7767f3bb769a9b31e400df446a4698e4db63

SHA256
598ad75d6e2e244b759b3f376b510f0ba560b77cc74f48351dcf2abdb7df474f

SHA512
206b90eab94f9ce7260ec624ec9a8afd70bba96d4dc5d8a545a29cd73e55832196e509523da1123c2279eb4cb63fef429e28a3438a268dd3fabd1fd949caf1c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\domain_profile[1].htm

Filesize
6KB

MD5
bc478a2152d87def56b4d565be79ecdf

SHA1
ef0bbf6db27b03dee8190caec0f5d7fb55602319

SHA256
301c1f5508654314d8fe658dd6f602888b567cf904233922c73ec4ae8df258ba

SHA512
2270f44230a22fb10f966d1e579e0e454247fe7ab7b6c371e59c2216a3e3b57f0d20c60e7ead3d1581e2403bd5fc55d04909895ff81491f7b0d6088c8c396d9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\domain_profile[1].htm

Filesize
41KB

MD5
407c5992974bee5f71eae525ece212ab

SHA1
6983e76b5b3b40c65eb732c1a4b2428ee8d89b20

SHA256
27b314c9ac9cab25f049ada0d849126e6e89b795023bd3437d14214fc1f390b9

SHA512
cb74d8f9446ff364d7d58e8bfcfdc249ceea9a9b9bfc786d87bf86dbc4accdca517cc484e6ff5d4d80ef5ea1ea86edde6595413584b5cc82352d284309a32df0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\embed[1].js

Filesize
64KB

MD5
54f8460d351b1e95a24a0473e4a84b7e

SHA1
dfa6ade2c2bec7dc35b40c3ca94cbee51b113b73

SHA256
e9662200d9db345038c2ab33c84b193449677f660b5fdf00bd55d787659e38f4

SHA512
fac1e11f329691fdd47042528321f5a19ae6ae04e30430b8d7c978a4ac5527a201482a7cb2244fe475d00a27163d1988112662c340164e24b889c13cfee73a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\hd-style[1].css

Filesize
41KB

MD5
2ea4a69df5283a1cfd0a1160203ebfe8

SHA1
1c454fb9cac7ac0b1f65cd5c93bc2c9a0da8479a

SHA256
908a427dd11cc624f78bf96e4f775ba708e1bb1fbaaa8566977f3ec54416126b

SHA512
197333dc17a36ff127e6e001a898583322ad7ffa76e24003378f462b041e215194a2529eedd5f93e7e35a0e21dcd88db49c5afd18a0f7cff4cb00f50700c884d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\recaptcha__en[1].js

Filesize
531KB

MD5
2ea96f82197c227ad3d999f6a6fcf54d

SHA1
dc1499948a1822d16cab150eaee16f4ab8c028d8

SHA256
e1d667d61bb50e0a815101a7d0d7f379b7219776fee856eedbe965a049db8d44

SHA512
dafee1d415487b796e02ef295073382aac48ac76e90c749028a9241bd44ec04ec2ee34163b8177f94d01e9e9d87577ec34c18d780a9f17b80923106d992749a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\MDMHN06X\style[2].css

Filesize
165KB

MD5
65760e3b3b198746b7e73e4de28efea1

SHA1
1d1a2cce09b28cffc89378b0a60cbb1aa8a08c4f

SHA256
10e40ea3a2ad69c08d13e194cf13eb4a28a093c939758a17a6a775ef603ac4fc

SHA512
fbcb91f26b7bd874d6a6a3b1d4d6f7277ded091cdae5706c285b4d5d17446a1bf58572c224af38393ce49b310a51d5c5d60711c7094e5d32abbaaf10d1107e1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\analytics[1].js

Filesize
51KB

MD5
575b5480531da4d14e7453e2016fe0bc

SHA1
e5c5f3134fe29e60b591c87ea85951f0aea36ee1

SHA256
de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd

SHA512
174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\api[1].js

Filesize
870B

MD5
e9dec22fcfdf664ec4fa785cc2d8317a

SHA1
65b176ba5ab9cac538af82ea4f580c3bf22d0305

SHA256
0f0a70b4ff4a326079d0a1063ae8905940ca4e2529ba64169d42952966f9f693

SHA512
5781361dd03e3a896504f1c8776a9d862ecd103c67925ae0762fd32128a29730887b336fdf2e4dc2ab5f28bf8a84f1e8a98f94ec7d38191044a56251a29d0b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\banner[1].js

Filesize
99KB

MD5
6b1506e94ef140bcda65924f33eb2d4d

SHA1
e9ad74fb7d2a1b761b992bc58cfd4d46a26db690

SHA256
ef8916e10719b5acae506568cf90b13afa248522bee92df20056935ad553ae8d

SHA512
ba9552eeb78a57aec1a62616a0326cd8746d5e1e29c2a5730e6081839118126cded62856755742d03cb752140ebfe1eb7d078427a2cf4a48fe83c8f63ba55c4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\base[1].js

Filesize
2.3MB

MD5
62340cfe6ae70940fe866e9147e72d86

SHA1
871a8f2921e1688280f485327503e855dc6a7402

SHA256
b1d2de7d7bf51f30183c52aab95a2aab7bdadba8caa1c4cb62846c0a2cabb8f8

SHA512
93095db6a2cf2469acb4c8c44fc6f12a18a24e0e99833c564f4a34cd085476f48dff2056f321df513cb091ec79b20b948cf32f7ef29f16e41a510196fbc18417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\common[1].js

Filesize
8KB

MD5
56b21f24437bfc88afae189f4c9a40ff

SHA1
a9d3acad3d4c35da454e4a654bdd38f8d2c4e9d0

SHA256
cfece1b609f896c5cd5e6dbe86be3ba30a444426a139aec7490305ebf4753ed4

SHA512
53d4718e60a47526be027c7829f9ad48f381e22765790f20db35ff646bd994f8085b12b8fbeefd5b29ecda8f71f4c6c62b64652bc9a7256e001b5e4047c21651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\enterprise[1].js

Filesize
1KB

MD5
e9b9e4919cc3c0c662149223aeec6233

SHA1
e341098071d7d74558fcd565c250fb577f57338d

SHA256
b42eff873034830a88267486e35676914e826cddd91f9d9cef584dc8bd92b140

SHA512
25e88812cfaf9fc9b09d76301748506de834d1b7d7bff3e8aaff5a331d9cd79f1a46e299a7e35ed50ab165419e94eba6793e976a045c31ea9b2c9afb3043859d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\escrow[1].png

Filesize
2KB

MD5
78b034232f0b70262484b314a1e1647d

SHA1
8da15f0b8a2a9898dc9caecd8f6d592bc07c0a84

SHA256
d479e382c9e8278ef3b6f9b7a349d1a849056ec4a7b35f4b71d1b6e8e12e2580

SHA512
7ca7ffcf11153cb754ea3c5f5cb300497a7ab22c34922adc59a74dece2d75ff8a25335299e7d045aa2b4bee87541d6a7b99de144095d4c952a88488ad9ae3638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\js[1].js

Filesize
208KB

MD5
6e6ebdc2d12e15e3efbea1b0e7b23931

SHA1
2ba2a50a3efe1c2791b6eeccd82eb00a5b53ae5d

SHA256
844523292d3e8bc7a719dc686abe3873a0da4bd032f0500229aed8fc7e48f4e5

SHA512
9c0ee489e6d6aff6fc5f43acb8639f6b3775bf6de6480e03c835f19c93c3fdc14d5df09f3f8d0923ccc76e77e24f86b92c88d25b751758c527ac34bb7ca58682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\o-0mIpQlx3QUlC5A4PNB6Ryti20_6n1iPHjcz6L1SoM-jCpoiyAaBO9a6VQ[1].woff

Filesize
16KB

MD5
adda182c554df680e53ea425e49cdf0d

SHA1
9bcac358bdab12b66d8f6c2b3a55d318abe8e3ae

SHA256
d653648b9d6467b7729f0cea0c02e4e9f47323c92a9fcdbcb12475c95ac024df

SHA512
7de2140ee3859b04c59a9473129c3acad91022962d46ffc63529bff278661f0e106a16dde90e8db523f826f82e7c20ad9b23f45a25e81932fd2d8708b616fba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\script[1].js

Filesize
9KB

MD5
defee0a43f53c0bd24b5420db2325418

SHA1
55e3fdbced6fb04f1a2a664209f6117110b206f3

SHA256
c1f8e55b298dc653477b557d4d9ef04951b3b8ba8362a836c54e2db10cda4d09

SHA512
33d1a6753a32ec06dcfc07637e9654af9321fe9fa2590efc70893eb58c8603505f2be69084fb2bcbf929218c4e7df9f7a8bc3f17a5b41ed38c4d8645296ebab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PE7M7D0W\www-embed-player[1].js

Filesize
324KB

MD5
5fc1418db93aa05fa2b5f15c4b88b20f

SHA1
5ce2e5758f76f505d3a81349996d9a4139b4a257

SHA256
eed5eb90eb30e77d1bde076ed7dbbaaf7ed64ebe5d13e1a1542f11fe4f856781

SHA512
ffa0c32c4fc162ced01e2054f621d9dcf703934faae5f2302de605b0a8718eb6d89c2d75aaf43361e6ac993d2347866cb2abb6f12e5e31af51aa087333184307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\KFOlCnqEu92Fr1MmYUtfBBc9[1].ttf

Filesize
34KB

MD5
4d99b85fa964307056c1410f78f51439

SHA1
f8e30a1a61011f1ee42435d7e18ba7e21d4ee894

SHA256
01027695832f4a3850663c9e798eb03eadfd1462d0b76e7c5ac6465d2d77dbd0

SHA512
13d93544b16453fe9ac9fc025c3d4320c1c83a2eca4cd01132ce5c68b12e150bc7d96341f10cbaa2777526cf72b2ca0cd64458b3df1875a184bbb907c5e3d731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\KFOmCnqEu92Fr1Mu4mxM[1].woff

Filesize
19KB

MD5
bafb105baeb22d965c70fe52ba6b49d9

SHA1
934014cc9bbe5883542be756b3146c05844b254f

SHA256
1570f866bf6eae82041e407280894a86ad2b8b275e01908ae156914dc693a4ed

SHA512
85a91773b0283e3b2400c773527542228478cc1b9e8ad8ea62435d705e98702a40bedf26cb5b0900dd8fecc79f802b8c1839184e787d9416886dbc73dff22a64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\ad_status[1].js

Filesize
29B

MD5
1fa71744db23d0f8df9cce6719defcb7

SHA1
e4be9b7136697942a036f97cf26ebaf703ad2067

SHA256
eed0dc1fdb5d97ed188ae16fd5e1024a5bb744af47340346be2146300a6c54b9

SHA512
17fa262901b608368eb4b70910da67e1f11b9cfb2c9dc81844f55bee1db3ec11f704d81ab20f2dda973378f9c0df56eaad8111f34b92e4161a4d194ba902f82f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\counter[1].js

Filesize
35KB

MD5
b5af8efecbad3bca820a36e59dde6817

SHA1
59995d077486017c84d475206eba1d5e909800b1

SHA256
a6b293451a19dfb0f68649e5ceabac93b2d4155e64fe7f3e3af21a19984e2368

SHA512
aac377f6094dc0411b8ef94a08174d12cbb25f6d6279e10ffb325d5215c40d7b61617186a03db7084d827e7310dc38e2bd8d67cf591e6fb0a46f8191d715de7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\domain_profile[1].htm

Filesize
41KB

MD5
80938069cc900b245553eb73b8a8d333

SHA1
661caf365e4d972db080e9dd210ce3425f190ec7

SHA256
129c57e9da53130001c9a716cb9037abad7bfed6ef22aa287fcae678f64e02c8

SHA512
441d99a359a6f4c0bd0cf1fbf92f0fa42379e2fc3d6a7c8567b98f6881150ffb5815b664ffe1ac037af9d156c574affa5d857b171c1cbb71b3f036ab59022864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\guarant-footer[1].png

Filesize
1KB

MD5
ebc6a32aaf8ea9681969745fb569ba91

SHA1
6620dac92b6a9274b943ab6fc0d1c8ae273b3f9a

SHA256
f871b5aac8bac1e406f07ceed1e33f7c0f4bdfdcf3cff87ed30b54986d21647d

SHA512
95352a45075dee231df82884b5a8f4fd1bc1cb08374ecc4d58bd77d8f2173bc5b0e5eee41cf5f94ec45a7608b0483c48d00c1dcd5ad7c463582409a5e7c32c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\hd-js[1].js

Filesize
23KB

MD5
6761faa022e0371e84e74a5916ebaa44

SHA1
5320c3d53d5447bad2a02c63208deca7fb94b655

SHA256
da17fb5b54c0fcd77c7358ff274823cb6a02ba0c4b6fcdf347c1ef611818bd9e

SHA512
a8cdba92942f299b648e87109d193a1f7eeb8f243eb2bbe4224423b512c400fccf930d81cd403a925fdf99220fdffcf89da69305cdc054963a64da470072d019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\hd-js[2].js

Filesize
337B

MD5
4bed3d25fce38304d90ed10895db2bef

SHA1
94aed83b43a733f132f269e939fe5cffbb219902

SHA256
58be4f1accb7d3a42ca39d346eaf878d75d4f20614ff05e1f01ba3996f6f1ea7

SHA512
9e1f7faf0581e67367cd6c76347ec1857bc14c291953d355d685431e1fae1d07c6211a9178a5fb32027c0733cccc86f8e7be2136d7b896bafe4518263e111b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\hd-style-print[1].css

Filesize
1KB

MD5
7878fda89f8e725fa06880d1890f9c00

SHA1
3f8e8aa44d26d3cff13159830cf50aa651299043

SHA256
6d17b244f2b4b8a93886dbe5cffad1cbe8fc9079495fb972a10fac1eda0a16ce

SHA512
392d457f4c54088abef2b4deeb042220ab318d00d1157fc27386a5faac821c70c78c8452c99bc75758fa36643932938274c171589307919ec01e293010ea35fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\jquery.min[1].js

Filesize
84KB

MD5
c9f5aeeca3ad37bf2aa006139b935f0a

SHA1
1055018c28ab41087ef9ccefe411606893dabea2

SHA256
87083882cc6015984eb0411a99d3981817f5dc5c90ba24f0940420c5548d82de

SHA512
dcff2b5c2b8625d3593a7531ff4ddcd633939cc9f7acfeb79c18a9e6038fdaa99487960075502f159d44f902d965b0b5aed32b41bfa66a1dc07d85b5d5152b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\p[1].css

Filesize
5B

MD5
83d24d4b43cc7eef2b61e66c95f3d158

SHA1
f0cafc285ee23bb6c28c5166f305493c4331c84d

SHA256
1c0ff118a4290c99f39c90abb38703a866e47251b23cca20266c69c812ccafeb

SHA512
e6e84563d3a55767f8e5f36c4e217a0768120d6e15ce4d01aa63d36af7ec8d20b600ce96dcc56de91ec7e55e83a8267baddd68b61447069b82abdb2e92c6acb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VF89GZ6O\zyw6mds[1].css

Filesize
1KB

MD5
a5bb75d5bd1b19def25c1dd4f3d4e09c

SHA1
d0c1457e8f357c964b9d4b6c0788e89717fe651f

SHA256
ff0689879c72300a01eae0c05c3205e2ca57c4bc1a6bfa0718fa6fea4a51627e

SHA512
b9fc57f7ade8f34cb02ece2935acb30757ed846e4bcf81d3fcf5bfcb45611d386bd337a6337e9945c5654cf044dce4dd3fafd60a2b42ed5bdc857ef96d077a69

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
3a09b074504c27ee28b84498bd87238b

SHA1
cc9e6c8f5d92fb0241bc0c90d4256c64b018ef8e

SHA256
f41f137eef333df8f556402ab721d2fb13045f543374ab33a0d6958cbcd663ef

SHA512
6aa537a347b74631830312db654231a07ecfbf6caa26761926684ead24f364b3b97005ab4f912ae6d0360e994a1764047d21e3a7f148a32f0838c86ce10a77f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
9227e7154fbac3a32dabcc831ef66d25

SHA1
9b415d1784ce7b1902385c2d250530743e40e948

SHA256
c08b8daeaf3078d72b203ee5e203a6f0b15e0d1a2e8d5c449c41fa17e601242d

SHA512
d1bec9c55900e0df33c63d7059fa9af9efd52778eb5e7ac9891f5bc3691f467d66fa8a380c8bbeb5364c8c717a4667f111c0f03f4e51adfda6fa59b0a1f61fd8

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.0MB

MD5
77ff8dae8b08b8581bdf7bb5d0d2cf7c

SHA1
698bae6e8fc54fbb4620761583c43fea7909881e

SHA256
e0fec3d8bfcad9ebeabbaf924bca008206b5bd14c499e6a95bf74f695672bb58

SHA512
a1dce277eb85b5622adfd853ad01f6b8d3708f0918f2ffa94aea63f1924eb2cc73208a90cd5c373cfcd893088424beb96338598596ad90350675294549e855f7

Download Submit
memory/372-14-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/372-296-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2080-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2080-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2080-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3996-747-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-295-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-42-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-24-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-20-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-857-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-647-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-547-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-1208-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-965-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3996-1955-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download