4107e85bfe5a59479ac7a7073aaed5f89957c235ac9d5c5f8d8475543835b446

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c9b77ef919c8ebc9155db37b7fcc98_JaffaCakes118.exe
Size

240KB
MD5

81c9b77ef919c8ebc9155db37b7fcc98
SHA1

963de199f14c842eedc3468a9a3143ccc58a71b8
SHA256

4107e85bfe5a59479ac7a7073aaed5f89957c235ac9d5c5f8d8475543835b446
SHA512

5ad1bfafc7ec921893975c3922c63d037d56755a00e98e12bc53e3aedf08fe60c64829c075b65f4d9c8fc7bf51d50724f961833def69913ceabd8973385fe37b
SSDEEP

6144:QJ8a+jGuR4JH3+3bQI4mUa4zFXdOpvg4T:QDNRmQn4T

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2176	PETC.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{06BD9B83-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1EA58AA1-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{48598182-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{06BD9B8D-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\PETC.exe	81c9b77ef919c8ebc9155db37b7fcc98_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{48598181-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\PETC.dll	PETC.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{06BD9B81-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3380B6C2-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{06BD9B81-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\PETC.dll	PETC.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{0D423F60-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\PETC.exe	81c9b77ef919c8ebc9155db37b7fcc98_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5D409481-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3380B6C1-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1EA58AA2-504D-11EF-B137-6E739D7B0BBB}.dat	IEXPLORE.EXE

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PETC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c9b77ef919c8ebc9155db37b7fcc98_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 0000000014000000000000000b000000ffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e80708000400010015001e0027000603	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e80708000400010015001e0022002100	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 01000000000000004007a7c959e4da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 000000000b000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 090000000100000009000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e80708000400010015001e0022002100	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e80708000400010015001c003000c703	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 20e39fc959e4da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 000000000900000000000000090000000100000009000000ffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "5"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{06BD9B81-504D-11EF-B137-6E739D7B0BBB} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "5"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "9"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000016fc4017e6a43544a5fa5dd25b12902d00000000020000000000106600000001000020000000b38ed802af84f060a16c2c9a7ca6766564ee085e7c11fa3e0efade763088883e000000000e8000000002000020000000a0ff01400affeaeb679a20a1fb7200b2b092f586ebb72472816637d8d5a1632b5000000026da51ffa6fc33da5a12d8bebc77282b65cca9af5d5827ec3071194c020a151506bcb7e0d478b875ac872f4c8fc6b905ff6e76550f67d6086f32b475274e7c849f4571e99600096528745d3d492a521b4000000067ca0390697085f0305ec7081497f46f01b083eb8b3b32cc7f961b76c1c2e4ada64d7380c2c6e575a620df9fe92b9bff3ceb36e54c106b9ca39512d0a2808e81	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e80708000400010015001c003300a30300000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e80708000400010015001d001d002803	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-80-07-34-ab-cf	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e80708000400010015001c002c00da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	PETC.exe
Token: SeDebugPrivilege	2176	PETC.exe
Token: SeDebugPrivilege	2176	PETC.exe
Token: SeDebugPrivilege	2176	PETC.exe
Token: SeDebugPrivilege	2176	PETC.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
1436	IEXPLORE.EXE
1436	IEXPLORE.EXE
1436	IEXPLORE.EXE
1436	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
1784	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2800	IEXPLORE.EXE
2800	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2364	2176	PETC.exe	29
PID 2176 wrote to memory of 2364	2176	PETC.exe	29
PID 2176 wrote to memory of 2364	2176	PETC.exe	29
PID 2176 wrote to memory of 2364	2176	PETC.exe	29
PID 2472 wrote to memory of 2608	2472	81c9b77ef919c8ebc9155db37b7fcc98_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2608	2472	81c9b77ef919c8ebc9155db37b7fcc98_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2608	2472	81c9b77ef919c8ebc9155db37b7fcc98_JaffaCakes118.exe	30
PID 2472 wrote to memory of 2608	2472	81c9b77ef919c8ebc9155db37b7fcc98_JaffaCakes118.exe	30
PID 2364 wrote to memory of 2800	2364	IEXPLORE.EXE	31
PID 2364 wrote to memory of 2800	2364	IEXPLORE.EXE	31
PID 2364 wrote to memory of 2800	2364	IEXPLORE.EXE	31
PID 2364 wrote to memory of 2800	2364	IEXPLORE.EXE	31
PID 2800 wrote to memory of 2712	2800	IEXPLORE.EXE	32
PID 2800 wrote to memory of 2712	2800	IEXPLORE.EXE	32
PID 2800 wrote to memory of 2712	2800	IEXPLORE.EXE	32
PID 2800 wrote to memory of 2704	2800	IEXPLORE.EXE	34
PID 2800 wrote to memory of 2704	2800	IEXPLORE.EXE	34
PID 2800 wrote to memory of 2704	2800	IEXPLORE.EXE	34
PID 2800 wrote to memory of 2704	2800	IEXPLORE.EXE	34
PID 2176 wrote to memory of 2304	2176	PETC.exe	35
PID 2176 wrote to memory of 2304	2176	PETC.exe	35
PID 2176 wrote to memory of 2304	2176	PETC.exe	35
PID 2176 wrote to memory of 2304	2176	PETC.exe	35
PID 2304 wrote to memory of 2228	2304	IEXPLORE.EXE	36
PID 2304 wrote to memory of 2228	2304	IEXPLORE.EXE	36
PID 2304 wrote to memory of 2228	2304	IEXPLORE.EXE	36
PID 2304 wrote to memory of 2228	2304	IEXPLORE.EXE	36
PID 2800 wrote to memory of 1436	2800	IEXPLORE.EXE	37
PID 2800 wrote to memory of 1436	2800	IEXPLORE.EXE	37
PID 2800 wrote to memory of 1436	2800	IEXPLORE.EXE	37
PID 2800 wrote to memory of 1436	2800	IEXPLORE.EXE	37
PID 2176 wrote to memory of 576	2176	PETC.exe	38
PID 2176 wrote to memory of 576	2176	PETC.exe	38
PID 2176 wrote to memory of 576	2176	PETC.exe	38
PID 2176 wrote to memory of 576	2176	PETC.exe	38
PID 576 wrote to memory of 1156	576	IEXPLORE.EXE	39
PID 576 wrote to memory of 1156	576	IEXPLORE.EXE	39
PID 576 wrote to memory of 1156	576	IEXPLORE.EXE	39
PID 576 wrote to memory of 1156	576	IEXPLORE.EXE	39
PID 2800 wrote to memory of 1784	2800	IEXPLORE.EXE	40
PID 2800 wrote to memory of 1784	2800	IEXPLORE.EXE	40
PID 2800 wrote to memory of 1784	2800	IEXPLORE.EXE	40
PID 2800 wrote to memory of 1784	2800	IEXPLORE.EXE	40
PID 2176 wrote to memory of 1640	2176	PETC.exe	41
PID 2176 wrote to memory of 1640	2176	PETC.exe	41
PID 2176 wrote to memory of 1640	2176	PETC.exe	41
PID 2176 wrote to memory of 1640	2176	PETC.exe	41
PID 1640 wrote to memory of 1972	1640	IEXPLORE.EXE	42
PID 1640 wrote to memory of 1972	1640	IEXPLORE.EXE	42
PID 1640 wrote to memory of 1972	1640	IEXPLORE.EXE	42
PID 1640 wrote to memory of 1972	1640	IEXPLORE.EXE	42
PID 2800 wrote to memory of 2008	2800	IEXPLORE.EXE	43
PID 2800 wrote to memory of 2008	2800	IEXPLORE.EXE	43
PID 2800 wrote to memory of 2008	2800	IEXPLORE.EXE	43
PID 2800 wrote to memory of 2008	2800	IEXPLORE.EXE	43
PID 2176 wrote to memory of 2284	2176	PETC.exe	44
PID 2176 wrote to memory of 2284	2176	PETC.exe	44
PID 2176 wrote to memory of 2284	2176	PETC.exe	44
PID 2176 wrote to memory of 2284	2176	PETC.exe	44
PID 2284 wrote to memory of 1792	2284	IEXPLORE.EXE	45
PID 2284 wrote to memory of 1792	2284	IEXPLORE.EXE	45
PID 2284 wrote to memory of 1792	2284	IEXPLORE.EXE	45
PID 2284 wrote to memory of 1792	2284	IEXPLORE.EXE	45
PID 2176 wrote to memory of 2540	2176	PETC.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\81c9b77ef919c8ebc9155db37b7fcc98_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c9b77ef919c8ebc9155db37b7fcc98_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\\delmeexe.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2608

C:\Windows\SysWOW64\PETC.exe
C:\Windows\SysWOW64\PETC.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2712
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2704
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275467 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1436
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275480 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1784
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:799760 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2008
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2800 CREDAT:275517 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3020
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2228
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1156
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1972
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1792
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2540
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delmeexe.bat

Filesize
231B

MD5
09fa11a84da8bc17e8cc1b582a05741d

SHA1
fe0c516a5220d2768465d15118c9f24636fc0b98

SHA256
9df18b6b51d493e34515842624843b459f218c77382fc55a9b7f9bb038a461db

SHA512
e825c5bf6453b591e86f8a553df9d9f0f24119b668ceb426ace067aef9feb79d8277f6c6681fee0cfd58c407c7d8c8e886738241de9ceda277ce7560de2594fa

Download Submit
C:\Windows\SysWOW64\PETC.exe

Filesize
240KB

MD5
81c9b77ef919c8ebc9155db37b7fcc98

SHA1
963de199f14c842eedc3468a9a3143ccc58a71b8

SHA256
4107e85bfe5a59479ac7a7073aaed5f89957c235ac9d5c5f8d8475543835b446

SHA512
5ad1bfafc7ec921893975c3922c63d037d56755a00e98e12bc53e3aedf08fe60c64829c075b65f4d9c8fc7bf51d50724f961833def69913ceabd8973385fe37b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
7d70fd8faf92cee657dcf7433f3cb4ed

SHA1
eb424749f6f40295f26e8c2469586821ccdb4133

SHA256
cf4bd3902475b31dc00c0b680259f392c86be33f5611277619d2ae609c8f0066

SHA512
783df4161e386088f67ba40d8104dde838319119b26eafc509635f2c25f8c89697ed480a25f48cd3a740d9a509eb6efd1184eed70a064b99a18887a707c4d575

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31a413195b07f740de0a75cf49a3a41e

SHA1
11c616e9e4da037751ddda610f9296c77d2b4464

SHA256
ae2251cf4d3b4d786b7739ac061f968d0a009951e3efeec238db9679e7810d15

SHA512
b0667466f8f53926e4ebee8ae0492de9b794dc95703c1362fa6f4ba763f1d7b146aa3ab6eab4b4f0cf8bd63bfcfe91175303ca6f611dc9f8a84235734fafd78d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7324582bb8f052e2fad10823c95b2394

SHA1
d1948e9974c3df2bf7273d91932db75ac5742aba

SHA256
2b4a3fa27d42b5ee8a31f70aebeb1376c3879bfcc3c2d32f14a93171c951769f

SHA512
c034454f28fb87539ac4ef97158210320912fa0446d4230107472c04b067aaf2d7842f46e44030a1b4530ecc0e3b172cdf1cc871b58c8dd675250ddf4a1c975a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13dfd96b9a49535dc1c2dcf23dbf749c

SHA1
97437f58fcc5c7b1104cbcaef19eb3904008129f

SHA256
3e28c2e65154f642d45f7c28a43c5f4d1ea8c7332fb46ec4da13cb873a143947

SHA512
c07cf849dfebb7993ef1cc4bd64ba225c5ba46711c888de573ae0e5851d4541dd0974062c3f5e9d0c3dac87a757f65171402ce7d8961c7aef90cf6f4513beb3c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
caea7be93c2a0f23055ec8b101b6752d

SHA1
9360a2cc2d745605d02606af24324a2ac072e9f8

SHA256
02e403bd56983032523f489e2dcc5c710f77e6fed6761a810c11107e837e9b0d

SHA512
748e2a7681846f52240bcbebaa81eaca39b89160e2f80d9cf0ade29fcfc5999b907289b876a8be4efe7f3231fbe68cfe15976845f04bfbc29126aa61b9c84304

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e02b9fa918832fd4ae462d493853c64d

SHA1
2ddb824c50f766415afade370be9e15ec535c0a9

SHA256
d56d1113bc9f5785a30461f9653080d4da4c65a2681303a937744af5a3e3aa71

SHA512
2c1def594f29537794e4132b81b3448f673c0ebf8ddb6143189b47b4deeb8e2d341a3a5c20297fe93c0d87ee910921c800002c808a408c3e7c87d7b72cf0c366

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
519f64f805b76e4ee49cc2a0aad7010a

SHA1
e959374208a8f873f3e266161015cfd54818d8c0

SHA256
fd60655a96636cba0f0ab44b623c9830b474e38a1102e9ac9dba4bb4a15a1adb

SHA512
3f1eb80f2480b294e5d92581d9744a1a9243626c969e85f777cc9b49d736f85d7247990303ee2cc371d57e5d34c2754273f95f2d541c0329dcc7074ef0343c27

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19578f4df9efbea51210e2a956bd3ab0

SHA1
fad46ee58bf4612d4cbb95058c40fd023ec01d0c

SHA256
d502e6ecadbc77c892c78198f38b42500796e30459e626786be0b80589953754

SHA512
6fde0b70e76917acb25113b5752c234325711394c0bfa088cef3984f60ff251704705a33a912f4cd352ddefe0ee5ab06e369275345f5c0788ba961509dfb72df

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05d9efc8588af9f0ea9f4aef8dfd00e9

SHA1
093fbf1f14e608fc4228a86f5379858d1a94ef98

SHA256
169e7e980474d326420bd0bc62b823713ff71c5e7f68ac9ec9a17919331bc47e

SHA512
8000a3f9dbe582a49f42cfa9ba08f8934c2cd89c1d8eed1f2a0e97ca26ea1527c0b1c8dc61ae4d62228e9d87c042b2ae317500bc8b403b85fd1e218b73a87392

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7b2bcc1722856ebeea141a79b8b1a91

SHA1
b1a2336c3e28ba507f540b57aa3e215318c83063

SHA256
0c3e3db5f1d9abf3e94b540ceaa5cb46b1214fd9c0c70181c6e6e57f4e31967b

SHA512
db14c3d29ee609893ce830de135f729345aecdda6320165efc424470dd1201b4160074e87fdd8b7ba403745daed51f0f6016e6d1d12356ed57389459ead3f48d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cec607b50a2f8f7e8afde6d516e81afb

SHA1
75374ae69596a6f56e9a3414f086a3af1e088bad

SHA256
002370679fc86591fabba0eb8909e7a002443ea6f8a34e5e1d7fe53d3f340c50

SHA512
13e62788a14c51ea3f57d617a07c019c69439b7825965aa2dad577821b61fd275bc0dce6af2f6dd1d737d687528bb8cf2ee0ddbf0e1c011f934ff003dfb6360c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00c08569d24f56285ff3e25183443501

SHA1
9c6dfbda3e6c9de92e549a860356d35a4e40da91

SHA256
bbd53abd4cf32db4e67edafd2e2c8c2051880c8941beec27e500f9a7b5d56c23

SHA512
7f69335ce4bc002aa6f0e82994fde66ab41ff4c2add0d0aa6c33906efbd0d61abe85cab55b0fd7f2f726f30dd5f90550226e2b114c27d6a7869d5dbdadaf0645

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04a57b83c1e249824d3bd1efb8342a84

SHA1
57fac8a78ecf0d8165d3aa2e73d1737fec01caa8

SHA256
9e681b05e1b00f4915863802fadbbdde63fffa9f74f7fa380a396bf31cb6ef28

SHA512
90cae626ed1774c4aa022f75a7f767205c110ae66715da7024216797e8a481d1009e51c1ca9b3ecf7cee19b7fe5d508f97597ed8f6db472cca65f527d3ec7488

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc99dd84def3a5c1969a3eb178e03744

SHA1
c30fd340b5bb044dacb907fec09868d400c40b9b

SHA256
433f9bf7e497317828f767fef058462b54e72bad30a71d8ec83a26f8bccd9fd3

SHA512
b5f2b6cd4f472a13d8f85b979a7f98a64e717bd5bc716ad47ea050516f485d84b85c9c243627694038b30c21fa266460837eb0516b5d6fe273da7496900da577

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb361425b11caa8619f1d48f001ba60e

SHA1
171abf3e8447c9a52a0775d091860c20b3a1869c

SHA256
65900924c528bd469dcf4fd3a04a06911e71bb9a5df9eaa2bad66a07c540b0b0

SHA512
c9372ff7f15c5057f3a0321f8ff726dcd9e6b11336fc52958910dfa489dc765ef72f09116c5b7c78e2285da78706f83b6f8efad11cf894d92a05e81d88a1dc8d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f870f30b2b50353bf07338ac2eb3008f

SHA1
1d6b9afb46de14c3a327e28b8e316a7a61c04eaf

SHA256
0ab10256606c57268ffadc5fc62ceaf49d155a7fa50b5bc1e2743d6ad1179dd4

SHA512
536c2462e43da58724701469861349b067c0563ca3cb51f0c459059116597021ca3352ca698af269b582d824b8b73ff8e3afdf4ef4f864078357f5fc80f2751e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a5eb83dc43e1ab7b27e7c0f3b3081bb

SHA1
a3c59b9aba60fdb6846c3e1a71d26abf37db452d

SHA256
3a76011de5693d2c0fe41e7f35e3c6258109440432e5b369c2da086abf662801

SHA512
2b58eea946b4a06e40b7617a1978e0e3a90abab67ad774ec0b1d09eaaeb1e3b54f39d3bc856c70fcd44fd8e04951502281f23f143d0ab525961bef768d843e35

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ec4cbe0a3f2d9a9a8fab15f43a7f539

SHA1
be5e02b0f569cfe2f58cf406040ef4daee906cb6

SHA256
14ea738c212b74ff609aed04cef75beaea6ff09684f76b0825f30799c9802045

SHA512
f57374b06f258afbd4f6022481083d88f27cf2c136a408547ab5608c0272d6f50339c55052d1380de95f8e1054cc43e9db98145ec3c863327ab557a6ee49a1da

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b25f4d522922efa4e7532f6fe04bd410

SHA1
a4b487101cdca21dbf38cee62606cbcc0fa14f65

SHA256
234875e823a43e46dbd7b4a762ba114feb7fdb50e482f8fa2d0891179e333c81

SHA512
859baf84f35690ed7a180303d8f9a02f4a031aac5d3ed790b9a5a5f1895ef20e3eec9dc617e23736e87942c2c7a1eb2dd384229fadcbeff7bb14fa176ea83a8c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfb9238198c6524328e31241c13b5018

SHA1
4b5e93ecaf5489e384ef2de1695fdcfcef661ade

SHA256
07c852ecb22198459e5f014675970f32f6ef4f29baadb6fdc0ea0d935c4267c9

SHA512
f9fb7c56fb376926f7c45c983a3946657db7a04c1bdae128d2ad1b0e0203f5ae459e41f62b6745fcc0479722a89c55f7bee537932140d443f85abd5733035768

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0b035118f86e89e2745e22c48105a533

SHA1
cf73dc7450d0ffd8d119ca6ce22ec9b431f1b77d

SHA256
84d26ea5c18a6df85ecdedaf8ba67fc7a15ba9785a85653984e8ecc7ae252bbb

SHA512
067e76d4cfe6e8e86b47489ea8370b2d83a24b68467f52a96e8728f47338bfce24997188eacc1926fe3a104f872c8a4eab3c61970b6a550ad723fc59d5c95f54

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab5835.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar5836.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar59E1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\www4C7B.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www4C8C.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/2176-715-0x0000000000400000-0x0000000000441200-memory.dmp

Filesize
260KB

Download
memory/2176-710-0x0000000000400000-0x0000000000441200-memory.dmp

Filesize
260KB

Download
memory/2176-707-0x0000000000400000-0x0000000000441200-memory.dmp

Filesize
260KB

Download
memory/2176-1312-0x0000000000400000-0x0000000000441200-memory.dmp

Filesize
260KB

Download
memory/2176-1319-0x0000000000400000-0x0000000000441200-memory.dmp

Filesize
260KB

Download
memory/2176-1324-0x0000000000400000-0x0000000000441200-memory.dmp

Filesize
260KB

Download
memory/2472-0-0x0000000000400000-0x0000000000441200-memory.dmp

Filesize
260KB

Download
memory/2472-14-0x0000000000400000-0x0000000000441200-memory.dmp

Filesize
260KB

Download