Analysis Overview
SHA256
a1c2da26a3aec23b7d2caf96d5b5dbf05bf8c817e6b3d48522a2403d4f8e1eca
Threat Level: Likely malicious
The file c06bc6914d0027f75bb4d381a806a193_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Executes dropped EXE
Checks computer location settings
ASPack v2.12-2.42
Loads dropped DLL
Network Share Discovery
Adds Run key to start application
Drops file in System32 directory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 09:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 09:17
Reported
2024-08-25 09:20
Platform
win7-20240705-en
Max time kernel
148s
Max time network
148s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\6095\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\6095\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\6095\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\6095\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\6095\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\empezar.bat = "C:\\Windows\\system32\\6095\\empezar.bat" | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\server.exe = "C:\\Windows\\system32\\6095\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
Network Share Discovery
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\herramientas.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\banca_emprenon.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\images\zona_segura.css | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\fot_personasder.jpg | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\404.html | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\principa.js | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\zona_publica\01_persona\index.html | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\index.html | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\cajeroexpresslogo_.jpg | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\logosbnew2.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\scot_raya.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\trans.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\banca_empren.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\images\esq_lila.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\fl_nar02.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\scriptsnew\comunes.js | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\1_p.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\atm.jpg | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\imagesEdit\1\zop\7\bullet_mage.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\empezar.bat | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\listo.vbs | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\server.exe | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\logo.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\EnLinea\imagenes\login\operacionesLogin.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\ira.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\imagesEdit\banners\248\grade_ctaplazo.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\5.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\banca_empresason.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\imprimirbl.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\banca_personas.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\scotiabank.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\9.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\EnLinea\imagenes\trans.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\2_p.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\images\fl_blan.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\scriptsnew\formbcp.js | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\fondo_tbdere.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\fonmenu2.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\boton_portal.jpg | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\bot_irx.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\dot.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\images\esq_azul.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\images\herramientas.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\3.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\fl_nar.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\acceso_rapido.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\imagesEdit\banners\243\chico_seguridad.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\tlpu\jsp\pe\esp\home\index.html | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\MSWINSCK.OCX | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\2.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\logoPeruahora.bmp | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\imagesEdit\1\zop\1\bullet_nara.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\index2.html | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\3.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\abajogrisder.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\enviarbl.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\3_p.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\ptsderecha.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\iconos\viaja_seguro.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\4.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\images\new\fl_blan.gif | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\bcp\OperacionesEnLinea\zona_segura.css | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\css\portada_new.css | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\6095\images\f_ingresa.jpg | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E3F6F9B1-62C2-11EF-A504-6205450442D7} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000d4df7f4cec1e947b5a4db4f3559877829c4b91888e448b5255182c761947ef76000000000e8000000002000020000000946cfd4dc7f4388c2602cb2a2af93820691f48c90f0a2d18d6d04af5d48ada6e200000004af74ad99569b66c01b157fd83935e5d20bd617ef3c6be4fa2240df90fe2485f4000000054eb2197d90481599ff33d1b886d1c76ba1856ef9b33b3fd7c7786c15c94413e024608cc0b49248f0308721ba6d9c70bc7e4f60de4813e9b1ebe4c30787d2cc1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 105fcbb8cff6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf7100000000020000000000106600000001000020000000996fd3a725f841069b5ac48da0c533bd0d60727ec79c1294a8bf89f653b63ed4000000000e8000000002000020000000a5577df1f978b5bc3c68ed0ff1d839e5bcae625c113a1753e4597a1b137d3f4490000000c820cbf09d14975cc214d4e3070eba87b553e4db46e15745666466efab121edef1fd6600f2de151e1a6304b9fafc004abf549bd18b09afe64e3b97b88f4b04e80281e87126602d823e1ce6c1c4f7cff934d0071b1a17883ab064d8f98072d821ae1514a240e72dd434ed1d4f9ee650c78a2ccca479ded458c13364aec59717440b3f8c7ee74ee012f50d07de0731fcc540000000e22af2fd139603c45f2a98da29e3f3d933c5f8128102ec09b18ec62cf8acc06dce562eacc5fc8c6142779ff5e3493c7896a3380f1366c3cec59665ce2e069c4b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430739333" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\6095\\MSWINSCK.OCX" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID | C:\Windows\SysWOW64\6095\server.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\6095\server.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\6095\listo.vbs"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Windows\System32\6095\inicio.bat" "
C:\Windows\SysWOW64\6095\server.exe
"C:\Windows\System32\6095\server.exe"
C:\Windows\SysWOW64\net.exe
net stop SharedAccess
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://srvr.timwe.com/timwe_prod/PROD_COL/PERU/CLARO/minisite/index.php
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.sonmusical.com | udp |
| US | 8.8.8.8:53 | srvr.timwe.com | udp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Windows\SysWOW64\6095\images\fl_blan.gif
| MD5 | 4448424a0727f28efafa40d30149c379 |
| SHA1 | 636da7194bcadff563932b4de1d5d66c9abf80d3 |
| SHA256 | 264e559dbeb149890848186acbca26f2bd0232c3eba38694bb8c36a85a663872 |
| SHA512 | ece247d66a2940fe7fe724a062e0c69344822ed8cade60bc95663432f9cc37f412986dcf43ac8a9e214e1afde83f786d063ac7b663ecca30a0ea209b7feeb097 |
C:\Windows\SysWOW64\6095\images\fl_nar.gif
| MD5 | 6ce0387d66549f45f0881bb9077e192d |
| SHA1 | f6b41cd1c0598345c71a65bce08e25bc6da9d70a |
| SHA256 | 0a12e034b28fac8e819b5e9b1cce37b5e831834b5bbf6e9a64070b53533e6a8c |
| SHA512 | 462782de67b91ba3169bdaf47b65db4b26e020fe68e43a3bfb9e17e61925e80cd58c9100a9277e1db09e90a7cfce34c458216c79440e0ba83d44fee9d9604d66 |
C:\Windows\SysWOW64\6095\images\fl_nar02.gif
| MD5 | bbefc514ca3b7b4e1ef7e1c62f9b1d3e |
| SHA1 | 7d9b89999b7fb235bb9f0759ee63ef5f73c98627 |
| SHA256 | 2dfa7d8aa4d292b6c84f518b69f26be52b06c5104f0e527e8a295f66e1730e17 |
| SHA512 | a3155a4e06c32096774cd37d6bdb59252f2cdfeb14d426b14b5e471bc3850ed1e8f6517e2bfbdf4ee7c23864aec4f9d5c050f9b43c880dcdfbf61395e282a8bb |
C:\Windows\SysWOW64\6095\images\herramientas.gif
| MD5 | ada7ea4a9123bcee2828d3520a514c06 |
| SHA1 | 93f1b122b57109081ff4c567c81e177981800a7c |
| SHA256 | cca4e955402ad5f676f2e7f56782812526c4233538b15957436f4b2c1feaf60f |
| SHA512 | 473b0baec60d55cb4186f66fff8606711f480273a8b2d0c78580e90fd52c47d40492ffbefe34693b1eae7b3967c50d9f966c1f35f28e848361d49e0a84ced1a2 |
C:\Windows\SysWOW64\6095\images\tit_ingresa.gif
| MD5 | 174a762ede78de6b9f2aa8ce0d39b060 |
| SHA1 | 7fba4fc75ba3e9dea1b5eb098c1a33939f1bcf46 |
| SHA256 | 41450915dcebef37b44954f00e96de58391db1b2f614d82213554e5467b53885 |
| SHA512 | d5c4031784e59f7bacbfb0f42d14409cb912dc25964991b0a8ec9bf1bc05a5bd5f97c2ffdaa1d054dfd758e32f8914d5d3e1ba089ab742715ae7253508d352aa |
C:\Windows\SysWOW64\6095\images\spacer.gif
| MD5 | 325472601571f31e1bf00674c368d335 |
| SHA1 | 2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a |
| SHA256 | b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b |
| SHA512 | 717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc |
C:\Windows\SysWOW64\6095\images\logo.gif
| MD5 | 0af4ea969033d065c1d9e1e00fac7ab2 |
| SHA1 | dfc0c441493178427875d13f8738eefb328745bd |
| SHA256 | 5bd86f0c7b9488952472273d994a2c12fc50cf7293825df767bcc5218be5393f |
| SHA512 | 310c3f05542af52950232d7cb4a15c2cb086f21fc7899184e12114ce8348fa5e49f684999ff3a6ba59fcc587b05dfd1c6127629d64794b685d82e6c67a4a0801 |
C:\Windows\SysWOW64\6095\images\ic_candado2.gif
| MD5 | 9b769432f88cdba9df37f3bbf5680dcb |
| SHA1 | c394c97606ad96dfeb00a4c12756e2fe8b54240a |
| SHA256 | 041e15100772ad4aa977949ba324181861a6c9e25b78e702a80801e20d9c5f8b |
| SHA512 | 02f96f5df2d5c9405b6a4b9117e99f255496a87d7ca4650e36871d37e1c2215a0bc96577b6b0f161e694b8548d4507896b12deb819321c906ccbf84cbf3f7029 |
C:\Windows\SysWOW64\6095\imagesEdit\bullet_nara.gif
| MD5 | b70875abc68acdda52465961e52d7f22 |
| SHA1 | a1e96c97fe86f5c920f3b4f6a55eb38d6f42979e |
| SHA256 | 7bdaeff8903cd47126213fad77a50309ccce60039dcd3c24491912c5961a6274 |
| SHA512 | db7d0a5f750cf4f27e88b0f65633097d662d6c7045ae5adf6b82f9891f2c1e18242d75d57a939d7dd9c1e7f91374fa928ad34b5e3bf605cf9c8caaa3f0786235 |
C:\Windows\SysWOW64\6095\imagesEdit\fl_nar.gif
| MD5 | 8e7e35d6069b7f3cfffc2552366b8d77 |
| SHA1 | eca95ebf49cc4e5ebdfd1c5898b08c761786ef48 |
| SHA256 | 2483283737104c74a80a0d87aafda6158380b8eb5b320dcf0dd16f1bfdca9b10 |
| SHA512 | 12e69f747206795fbaa83d47498a589fafc9e7b76e6e876d12d8b94f990a11b428093bdc6a0030d0101e5d50b7b71e184d1909454935300d65054d4fd8e36fb8 |
C:\Windows\SysWOW64\6095\imagesEdit\fl_magenta.gif
| MD5 | 8588fe42b88c8813b38b4130b50263e2 |
| SHA1 | 36293570a1ee26d87b4924f74001b3b9db09f8ce |
| SHA256 | c444fd18800314f402b3390411b766d8aea965b2b1196a85e8a382c8a4021984 |
| SHA512 | a0b6939ae213568316f6d6100a20043cae333a86593c7326bed394d6069ea71fda385561c2b74b209f5bf64b36717d191238f855aff15c1b4c81c7362e5e599c |
C:\Windows\SysWOW64\6095\listo.vbs
| MD5 | ed9ab547e8782ae58904eb302b508bee |
| SHA1 | e0c674b714fe356860cbb2706b3d313a10bad21b |
| SHA256 | 59c4d73ca93def31d0c496f1c7e66360484de1053d9c084faad280adad12666a |
| SHA512 | dc63f4db230e5471e14ade740b748f7317bfbfd5e641ceb09c88cdc2c2e45f6906fb5a3744daaf950c7e95ac898f3f3934b86dbb4082e3c2f60beb5115e9f9ae |
memory/1052-401-0x0000000000400000-0x0000000000427000-memory.dmp
C:\Windows\SysWOW64\6095\inicio.bat
| MD5 | 159eee2c69357c834edb81cf878184ab |
| SHA1 | 3ed002de0f2a06025c4443bf3f2989cfc2f3685e |
| SHA256 | 2c5a687cf8efe6c7617470c70ddfa817c2a14e12a0fd5e045950759f3dabeca2 |
| SHA512 | 3049c7bd6c7cf6e2eae72ddd3c65087bbe3ad1197a47e654318fe8378bc183200e49ce8558eeb16848c02f557cffa27d444c6ef2a10baed2335d88bbba1fcc25 |
C:\Windows\SysWOW64\6095\server.exe
| MD5 | d824fd5dc0fcb7d8b685afee4335ecdf |
| SHA1 | 365f4667af283423bb730f3041293896b3198c34 |
| SHA256 | f76aaa2369bac454921482500e332b451b890e1f56bced1c166d8037bd79f441 |
| SHA512 | 8025d2d457551c304910b9ac76c1db5e69d1a67b27389e8dbcc2529c90bb031d4e27770715de8836286e9388dcff3d56e21edfcd3779e7c4f3b528f7fbb0272f |
memory/2404-406-0x0000000000410000-0x000000000041B000-memory.dmp
memory/2404-409-0x0000000000410000-0x000000000041B000-memory.dmp
memory/3020-410-0x0000000000400000-0x000000000040B000-memory.dmp
\Windows\SysWOW64\6095\MSWINSCK.OCX
| MD5 | 9484c04258830aa3c2f2a70eb041414c |
| SHA1 | b242a4fb0e9dcf14cb51dc36027baff9a79cb823 |
| SHA256 | bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5 |
| SHA512 | 9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0 |
memory/3020-448-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab9954.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar99F5.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3e1ed73894321cb86921e444f14e859 |
| SHA1 | a4cecbf174b8b56bc8d948f4f8a02fe88ca9d6e6 |
| SHA256 | 523918a06108a290fae6ba0716468918568a9007968abb80f64331cbeb36d302 |
| SHA512 | 01b23f864a7d6fa7a32a5b03b66b40d467673c19d7fce62530671914a46dbb3c89fec3d7f507359a189028ecb376e8712a3c5e256a3f6f4edfa076f0c711f460 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 81061bcaa67fbc618945aa0255ab6e74 |
| SHA1 | b62c7d0008652f71448592b11fef901c5e2fa640 |
| SHA256 | e9d8bef0ea8575a0c01888667f0803d6088a641142000e48f38974b3bde3e87f |
| SHA512 | da6c909ea931589abe105ac75b6775e70db10a8635da6336594bd1f84cac0e6b61b4b7f5a5b84b4f87e28af0b232a185bc670e729e774e57b40cadb5aa875037 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f7fb351e370fa863170e5d5cae29fbf |
| SHA1 | 2e419f88e7a34bf77a34d4b2ee69878d8cb4428e |
| SHA256 | 53bb47ab427bb4c35deb573c27b794539e108b712d02116a2030e6530bfcb803 |
| SHA512 | f1e3311d60d8a8098872e14b739861db7745045df5bde392a5014937a25c8d7063d5edd92a0862e24d0af5d71824f03b2acdf05e628bb59dc5b174fc6bba02a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dacdb24f9362bb89073837bf2c1a3d71 |
| SHA1 | 62c877bf55b52bc2bd931081c19b08f2f3aedf65 |
| SHA256 | 5f57ce0f542f4a99d0ee8b5d45460b18e489beb879d2becacabc30b973d5359f |
| SHA512 | 27835de6827bc50595e4317f950689b232783a5374bf3beaefa438d03ca8c9107c9057e223973a81cc227edac82c23975e2f5d8a601b068a9b54fc6147c63b1d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 97eb5b4f3d28c5ba2535ad9b5017cfa8 |
| SHA1 | 4b6f9c9a464d5e44f61f64e0255c1fc720484323 |
| SHA256 | 97ac8a3ffae2930c87372bd89b9c09f3b764ccfe75ba9e19ce858bd7b17ad9cf |
| SHA512 | dc469e8673b0d248289cba3a529f8e45a3a1fc84ad1c38ca2309aa7ce10226f4887847666f7fac1885492126282d412dbd76d6bbda5e3cbe52e4e7aa5fe82056 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e779e2c3f524dd94aec03b9b9dff3978 |
| SHA1 | 061435b3a764aadb1658b54635256d588d878e71 |
| SHA256 | 59b07287d1dcca41589dfd4e3138356247b8fd982bef369bb96eb21de68c6b17 |
| SHA512 | 9a8dafaef59c7db7ae21da814caef25014a03c7dc01d00ffabc37fe505fef7596adb8a9e607e41954faaebf6f2e747b823caeafe0242c4475cfdd9a277105f36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce772684c9d8cb0fa9677f345afabd66 |
| SHA1 | 1223f62bd1b8e6fa3d69ba894ecc362f45e9f118 |
| SHA256 | bcca9b26a949ceff644233f44e8550b19b862b7ffeb9855bad8a1044c55a8516 |
| SHA512 | a7753c9e11825b2b319ccc582b8807689876c9e24d6db61c5f6352c040dae65c387118170be49a3200a4a98f005066fe574c4a3b4c56d460f8cd5ab2337ff96e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 30d654359c901139364603642bb33902 |
| SHA1 | e3053cdcb138cd451011d7efd38f73fa942bfaec |
| SHA256 | 3f75c854ac86bdea326c307fbc1ffd27037a17416b89e1bafb3b755271320cd0 |
| SHA512 | ea4532abd01d554aeaaca2e5313b2df79f42f79a75e0e16dcc8d46e9fd834c5979eaa24ee5f7e07b4414c01d3dde31e37058fae847f2b418c4911aaa9c1dc2e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b91e803e50704135cee27107763a1a79 |
| SHA1 | cde25a48b8ce8c650a6fb71fd791a9786c7e6d65 |
| SHA256 | 2beea81c5af23b13bb2e0c80734383162fc4d4494db9197f804d22b9cda94b9e |
| SHA512 | 67b1fae92f49be8cf65698d03385c0c02e7f10da88ea3e066862a23c1a18e5d88f3cc95dd724793b0d9a798fb1505b2ab7084096b5836240601a181efaed2297 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 561701c696426a177245d68524fa6f22 |
| SHA1 | e6c4269791951824a9a0559723b4d76d30ab4716 |
| SHA256 | 1f2edb9361ce424860101d00a9adb65ef71ed8f31f634314b0d555d6e55ce457 |
| SHA512 | 239412be20b0fd51241bd3c510690563f166909dc936fcbf9a93114bbebf0891b795393a220edb6b5cb836e9d46fd28e5709fbba200047b81ab48bae0c618566 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a19816f6eae179d5654dce0e6ff56bda |
| SHA1 | d5a7ca5ea38aac661e9e35f5f4cfc03825b1fdbe |
| SHA256 | c6ce9a68a73ad0fc7e78add616fdf1d1b4411c2e2af74b7b448e2ccd2a5a8bc2 |
| SHA512 | b8d31eff107ebda0cb483d5fad1e746285be950057695d267e48a0e2bd16dad4f7ea394b919f1ffa720a046dedd8ad011b0958e2bff5c2c0375f2270371035a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3efd09acde32b8b89a914f406e7ddc2c |
| SHA1 | 0d50fed1afa9d951303b1299a9b60913c03ca92d |
| SHA256 | e2b279931932e7a6ecf25d521971b51bfbb483901c55424ff3d151c8df47271a |
| SHA512 | 1806580df468a84e02e3f4a1b411e757d2e8e9d617f671735bd801ea3b821cd1b5897714bade4ec31fcc934d8d0261b74781e5b8275c93df6a5e9b340b91e1c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | afa19d5ec926a7c6c178ee1882cb72dd |
| SHA1 | 72cc9a6197bd4148be0b42fd0550edb7642a9872 |
| SHA256 | e1956e9f58becb2538e55434b6aad002980961afe5c3952dc2ee582893f82210 |
| SHA512 | 4a6ba32298109d297224d198a045dd69edc2931355e628dd3692c11bf84e0f590953a50c32396f97aa30c03afec8910b8d9f0ba4e6880a0e689b607b2d21f1e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 162f3461f9834447edf31a3213d71a29 |
| SHA1 | 777a0c517bf967c1d7e4e4e4541dba54e2115146 |
| SHA256 | 55b1d9f5dbdae16e29933f0792f48d85163410654bb93b61047f058df3b9cbd6 |
| SHA512 | 199432b09e4050955d61daf8d2b9253d77f18680dbc5e10301ec7d8398d124a1833dc5946e0ccb827c8ec3bf9192e42830b6276cb3c0bb6ec95dec7fea0bdb55 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 543550372ee202d1fb5be5498f3e3f78 |
| SHA1 | da84753329ceef76c8f85e059062cccd96675f05 |
| SHA256 | 5b7acf205f6ff36900f4376dae14283519b2f0e4f79a1fd8094e106ef4fdcde3 |
| SHA512 | b6eb6579f2ccd0554cc238016b1a35ebefb663e181dbf7e3897863612be1ba93d4423437dd0931606c783af0080bbd39079fdf961e18f56ce90dcaba66b5d18a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ecd38af5e73d6f1c3293ee97e002829e |
| SHA1 | 69040ebdb72a6a679cf3d3ea1523698eb51a5e42 |
| SHA256 | dc9c3485de418f631d870acc8e6e723648f24cc20cc0e6264109a0f6552f127b |
| SHA512 | 203c2636eaf504ad93fa069b142824c938371110f0edf3a6177267b108efc6b27d106f7aebdefa6d3ef0b22c3fa7ea8a84519262878f429b7c84e649dbca8edf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 51f5dab44284ec6244f7b385aa409296 |
| SHA1 | 1cf1f833554cf1413d612e4a4d4daffdf8faa74c |
| SHA256 | bca225a06e325be96416f72a237470330244b7b276d621f2e660dd410a425e0b |
| SHA512 | 515a1f8d96422944957f000b8f6a0a88a6593221f24ab83e2130d89166a646f35d00620cec23a92117e96e49bdfcb4bc664039d6ecc502c0ab817669181f9505 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b745f57c2806a50fbfe09ee1da376afb |
| SHA1 | 8ef9736d25ca36ca11502ed9e69d4c06147ad3fd |
| SHA256 | 5238a12fd26cd0e0f3dd42d4a492aadffdd656004eeb14d7c2bd89404c539961 |
| SHA512 | 64a3be2b1a3b5a9e4c0d4369f31d9506430c72c8663dd53b6fce8449a452c692cd1fee4e9b1eee325b74ea0f12bf5be2dee4549fbb47f04da103725075b1a1af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 084155b45750bf0f0e3cfcb495f1e979 |
| SHA1 | c4d1c9b82f03a3e2c254f9ed97619db1a83bf550 |
| SHA256 | ee0abbcff0068738c0ab4c73a9806a38f4dc9445adc654bbb248d1719714be8f |
| SHA512 | d5c21ad61317bbe8be9c96cfa9dba9c9fe89e8dfd630c4eb149144c9d161deb27d9da7044544edc47d3b090daf05a19ae25b369872c96a84a0c94cd3915d1af1 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 09:17
Reported
2024-08-25 09:20
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\cmd.exe | N/A |
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\6095\server.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\6095\server.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\6095\server.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\empezar.bat = "C:\\Windows\\system32\\6095\\empezar.bat" | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\server.exe = "C:\\Windows\\system32\\6095\\server.exe" | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
Network Share Discovery
Drops file in System32 directory
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\6095\\MSWINSCK.OCX" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\6095\\MSWINSCK.OCX" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\6095\\MSWINSCK.OCX" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 | C:\Windows\SysWOW64\6095\server.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0" | C:\Windows\SysWOW64\6095\server.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\6095\server.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c06bc6914d0027f75bb4d381a806a193_JaffaCakes118.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\6095\listo.vbs"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\System32\6095\inicio.bat" "
C:\Windows\SysWOW64\6095\server.exe
"C:\Windows\System32\6095\server.exe"
C:\Windows\SysWOW64\net.exe
net stop SharedAccess
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://srvr.timwe.com/timwe_prod/PROD_COL/PERU/CLARO/minisite/index.php
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffaad2746f8,0x7ffaad274708,0x7ffaad274718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,4079871939225741144,10551058676837326550,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5624 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.sonmusical.com | udp |
| US | 8.8.8.8:53 | srvr.timwe.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.53.23.195.in-addr.arpa | udp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| US | 8.8.8.8:53 | arc.srv.lan | udp |
| US | 8.8.8.8:53 | edge.msiserver.lan | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ntp.srv.lan | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| US | 8.8.8.8:53 | edge.msiserver.lan | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| PT | 195.23.53.124:80 | srvr.timwe.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.msiserver.lan | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\6095\images\fl_nar02.gif
| MD5 | bbefc514ca3b7b4e1ef7e1c62f9b1d3e |
| SHA1 | 7d9b89999b7fb235bb9f0759ee63ef5f73c98627 |
| SHA256 | 2dfa7d8aa4d292b6c84f518b69f26be52b06c5104f0e527e8a295f66e1730e17 |
| SHA512 | a3155a4e06c32096774cd37d6bdb59252f2cdfeb14d426b14b5e471bc3850ed1e8f6517e2bfbdf4ee7c23864aec4f9d5c050f9b43c880dcdfbf61395e282a8bb |
C:\Windows\SysWOW64\6095\images\logo.gif
| MD5 | 0af4ea969033d065c1d9e1e00fac7ab2 |
| SHA1 | dfc0c441493178427875d13f8738eefb328745bd |
| SHA256 | 5bd86f0c7b9488952472273d994a2c12fc50cf7293825df767bcc5218be5393f |
| SHA512 | 310c3f05542af52950232d7cb4a15c2cb086f21fc7899184e12114ce8348fa5e49f684999ff3a6ba59fcc587b05dfd1c6127629d64794b685d82e6c67a4a0801 |
C:\Windows\SysWOW64\6095\images\tit_ingresa.gif
| MD5 | 174a762ede78de6b9f2aa8ce0d39b060 |
| SHA1 | 7fba4fc75ba3e9dea1b5eb098c1a33939f1bcf46 |
| SHA256 | 41450915dcebef37b44954f00e96de58391db1b2f614d82213554e5467b53885 |
| SHA512 | d5c4031784e59f7bacbfb0f42d14409cb912dc25964991b0a8ec9bf1bc05a5bd5f97c2ffdaa1d054dfd758e32f8914d5d3e1ba089ab742715ae7253508d352aa |
C:\Windows\SysWOW64\6095\imagesEdit\bullet_nara.gif
| MD5 | b70875abc68acdda52465961e52d7f22 |
| SHA1 | a1e96c97fe86f5c920f3b4f6a55eb38d6f42979e |
| SHA256 | 7bdaeff8903cd47126213fad77a50309ccce60039dcd3c24491912c5961a6274 |
| SHA512 | db7d0a5f750cf4f27e88b0f65633097d662d6c7045ae5adf6b82f9891f2c1e18242d75d57a939d7dd9c1e7f91374fa928ad34b5e3bf605cf9c8caaa3f0786235 |
C:\Windows\SysWOW64\6095\images\spacer.gif
| MD5 | 325472601571f31e1bf00674c368d335 |
| SHA1 | 2daeaa8b5f19f0bc209d976c02bd6acb51b00b0a |
| SHA256 | b1442e85b03bdcaf66dc58c7abb98745dd2687d86350be9a298a1d9382ac849b |
| SHA512 | 717ea0ff7f3f624c268eccb244e24ec1305ab21557abb3d6f1a7e183ff68a2d28f13d1d2af926c9ef6d1fb16dd8cbe34cd98cacf79091dddc7874dcee21ecfdc |
C:\Windows\SysWOW64\6095\images\ic_candado2.gif
| MD5 | 9b769432f88cdba9df37f3bbf5680dcb |
| SHA1 | c394c97606ad96dfeb00a4c12756e2fe8b54240a |
| SHA256 | 041e15100772ad4aa977949ba324181861a6c9e25b78e702a80801e20d9c5f8b |
| SHA512 | 02f96f5df2d5c9405b6a4b9117e99f255496a87d7ca4650e36871d37e1c2215a0bc96577b6b0f161e694b8548d4507896b12deb819321c906ccbf84cbf3f7029 |
C:\Windows\SysWOW64\6095\images\herramientas.gif
| MD5 | ada7ea4a9123bcee2828d3520a514c06 |
| SHA1 | 93f1b122b57109081ff4c567c81e177981800a7c |
| SHA256 | cca4e955402ad5f676f2e7f56782812526c4233538b15957436f4b2c1feaf60f |
| SHA512 | 473b0baec60d55cb4186f66fff8606711f480273a8b2d0c78580e90fd52c47d40492ffbefe34693b1eae7b3967c50d9f966c1f35f28e848361d49e0a84ced1a2 |
C:\Windows\SysWOW64\6095\images\fl_nar.gif
| MD5 | 6ce0387d66549f45f0881bb9077e192d |
| SHA1 | f6b41cd1c0598345c71a65bce08e25bc6da9d70a |
| SHA256 | 0a12e034b28fac8e819b5e9b1cce37b5e831834b5bbf6e9a64070b53533e6a8c |
| SHA512 | 462782de67b91ba3169bdaf47b65db4b26e020fe68e43a3bfb9e17e61925e80cd58c9100a9277e1db09e90a7cfce34c458216c79440e0ba83d44fee9d9604d66 |
C:\Windows\SysWOW64\6095\images\fl_blan.gif
| MD5 | 4448424a0727f28efafa40d30149c379 |
| SHA1 | 636da7194bcadff563932b4de1d5d66c9abf80d3 |
| SHA256 | 264e559dbeb149890848186acbca26f2bd0232c3eba38694bb8c36a85a663872 |
| SHA512 | ece247d66a2940fe7fe724a062e0c69344822ed8cade60bc95663432f9cc37f412986dcf43ac8a9e214e1afde83f786d063ac7b663ecca30a0ea209b7feeb097 |
C:\Windows\SysWOW64\6095\imagesEdit\fl_magenta.gif
| MD5 | 8588fe42b88c8813b38b4130b50263e2 |
| SHA1 | 36293570a1ee26d87b4924f74001b3b9db09f8ce |
| SHA256 | c444fd18800314f402b3390411b766d8aea965b2b1196a85e8a382c8a4021984 |
| SHA512 | a0b6939ae213568316f6d6100a20043cae333a86593c7326bed394d6069ea71fda385561c2b74b209f5bf64b36717d191238f855aff15c1b4c81c7362e5e599c |
C:\Windows\SysWOW64\6095\imagesEdit\fl_nar.gif
| MD5 | 8e7e35d6069b7f3cfffc2552366b8d77 |
| SHA1 | eca95ebf49cc4e5ebdfd1c5898b08c761786ef48 |
| SHA256 | 2483283737104c74a80a0d87aafda6158380b8eb5b320dcf0dd16f1bfdca9b10 |
| SHA512 | 12e69f747206795fbaa83d47498a589fafc9e7b76e6e876d12d8b94f990a11b428093bdc6a0030d0101e5d50b7b71e184d1909454935300d65054d4fd8e36fb8 |
C:\Windows\SysWOW64\6095\listo.vbs
| MD5 | ed9ab547e8782ae58904eb302b508bee |
| SHA1 | e0c674b714fe356860cbb2706b3d313a10bad21b |
| SHA256 | 59c4d73ca93def31d0c496f1c7e66360484de1053d9c084faad280adad12666a |
| SHA512 | dc63f4db230e5471e14ade740b748f7317bfbfd5e641ceb09c88cdc2c2e45f6906fb5a3744daaf950c7e95ac898f3f3934b86dbb4082e3c2f60beb5115e9f9ae |
memory/3860-401-0x0000000000400000-0x0000000000427000-memory.dmp
C:\Windows\SysWOW64\6095\inicio.bat
| MD5 | 159eee2c69357c834edb81cf878184ab |
| SHA1 | 3ed002de0f2a06025c4443bf3f2989cfc2f3685e |
| SHA256 | 2c5a687cf8efe6c7617470c70ddfa817c2a14e12a0fd5e045950759f3dabeca2 |
| SHA512 | 3049c7bd6c7cf6e2eae72ddd3c65087bbe3ad1197a47e654318fe8378bc183200e49ce8558eeb16848c02f557cffa27d444c6ef2a10baed2335d88bbba1fcc25 |
C:\Windows\SysWOW64\6095\server.exe
| MD5 | d824fd5dc0fcb7d8b685afee4335ecdf |
| SHA1 | 365f4667af283423bb730f3041293896b3198c34 |
| SHA256 | f76aaa2369bac454921482500e332b451b890e1f56bced1c166d8037bd79f441 |
| SHA512 | 8025d2d457551c304910b9ac76c1db5e69d1a67b27389e8dbcc2529c90bb031d4e27770715de8836286e9388dcff3d56e21edfcd3779e7c4f3b528f7fbb0272f |
memory/3184-406-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Windows\SysWOW64\6095\MSWINSCK.OCX
| MD5 | 9484c04258830aa3c2f2a70eb041414c |
| SHA1 | b242a4fb0e9dcf14cb51dc36027baff9a79cb823 |
| SHA256 | bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5 |
| SHA512 | 9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | d544942bbcdda2bd50dd0b3fb14757b7 |
| SHA1 | d7949bb8f02d71fcfbd36f11e218541b75096812 |
| SHA256 | 01a159ae55b8a5ff6ade892b25fa9ca3ece110a5d13968bf4341918c6b784448 |
| SHA512 | 1bb773e98827c148acc4fbf6006c366e6a2dae4cc5a262f4f19095b09092fecc56dd3150c6aaf1ffce5ac44255969198ff21d1f6c75bccfad49385fb50aba9eb |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 719923124ee00fb57378e0ebcbe894f7 |
| SHA1 | cc356a7d27b8b27dc33f21bd4990f286ee13a9f9 |
| SHA256 | aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808 |
| SHA512 | a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc |
\??\pipe\LOCAL\crashpad_396_TEXJJPVUGDXFUXOO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d7114a6cd851f9bf56cf771c37d664a2 |
| SHA1 | 769c5d04fd83e583f15ab1ef659de8f883ecab8a |
| SHA256 | d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e |
| SHA512 | 33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a6404af0ee29c838cf6bab87f37ef8fb |
| SHA1 | 7ebaf7423f0141d6db96932b55378e1d09fcefd9 |
| SHA256 | 1d1e7fd14135b859eecddac2667dfcf7a4ffa73541334e201d9843c364836fe1 |
| SHA512 | c5985a9d4d817c3bb5826f2f66bb6412174c669c73c205430dd513c9d9e3057e354a958d736de53acb83d0371a63cd9f84de717b9a0e82dc777e97a4baf63251 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/3184-461-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 369afc58624b6096a1acdfd52648fcc1 |
| SHA1 | 4ff95076e80b7052c4dff4de440be5925ec15d07 |
| SHA256 | bfeb920dbc72590de29ff17c718289d8200fa4f10f98b42d514995a58fecb7af |
| SHA512 | c34ac2217173e54689705383727fd110f7f91d466d6b138c0caea4f7e8348e23a107c66c8d21bcfee33d33ee2626d464b108cc9db5abf0ed756d82b2e9566266 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | eb47c27dfe56def8d84d2f70ad81bfe6 |
| SHA1 | fe4d578cd98dadea2b00ea47cbf018a7374c04be |
| SHA256 | d0f98fcecf195597dce657842ef08141501edb5cccbb245a6f15d8b36d67e43c |
| SHA512 | aed92327f92d7bc4b68db49afe1119dc79f046adb6a2ea630bbb2bc97668e832210d273a0c56a0c8e37e07eb0e22ab6e9469c6e27f786a87262e5bf313c7ea6e |