1e2e6b69f0fbe06cd84afe07ddd31d9d4fddad95615a72310f5d5b1ee8c613df

Analysis

max time kernel
148s
max time network
146s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cca7dad66417eb9ae5735ead9541189_JaffaCakes118.exe
Size

105KB
MD5

0cca7dad66417eb9ae5735ead9541189
SHA1

c82852199069aff10823f337e425fe58ebed3bd5
SHA256

1e2e6b69f0fbe06cd84afe07ddd31d9d4fddad95615a72310f5d5b1ee8c613df
SHA512

1a1ec397e2a2cde3e825676fc41fd3538cd8320a565a1a45122402a2791128a4a40ac94158f91e09da5610ecd9605c2f0402a37c57f2d5821e8618b7d56fa456
SSDEEP

3072:sYrnBXAFxYiGINC+dsL5q3ZYcd6OtPf5ZWfXP9gO7H/W:sUBQF2VmsMqcTH5ZWH9gO

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3040	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1724	RpcS.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AB0CA331-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6970BD31-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{962CB451-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{962CB452-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6970BD3D-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\RpcS.exe	0cca7dad66417eb9ae5735ead9541189_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AB0CA332-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{814A6411-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{814A6412-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[2].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6970BD31-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6FC826F0-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{6970BD33-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File created	C:\Windows\SysWOW64\RpcS.exe	0cca7dad66417eb9ae5735ead9541189_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\RpcS.dll	RpcS.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BFEA30B1-8111-11EF-B0EB-7699BFC84B14}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\RpcS.dll	RpcS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2256-0-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/files/0x0008000000012119-3.dat	upx
behavioral1/memory/1724-4-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/2256-15-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1724-716-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1724-717-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1724-722-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1724-725-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1724-1322-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1724-1331-0x0000000000400000-0x0000000000432000-memory.dmp	upx
behavioral1/memory/1724-1334-0x0000000000400000-0x0000000000432000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cca7dad66417eb9ae5735ead9541189_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RpcS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070a0003000200160037001e000e0000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 01000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 030000000000000001000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "6"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 000000001d0000000000000003000000ffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "10"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070a0003000200160038002f001901	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5BE32CDC-2319-49F2-A4CF-4820F404DFE5}\WpadDecisionReason = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e8070a00030002001600390010009f02	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070a0003000200160037002500ae00	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 0700000000000000030000000000000001000000ffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e8070a00030002001600380029009902	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = b0ca252c1e15db01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 03000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 0000000001000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5BE32CDC-2319-49F2-A4CF-4820F404DFE5}\8e-5c-ef-19-e9-1e	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 905e182f1e15db01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 000000000000000004000000000000001d0000000000000003000000ffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff8700000087000000a7030000df020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	RpcS.exe
Token: SeDebugPrivilege	1724	RpcS.exe
Token: SeDebugPrivilege	1724	RpcS.exe
Token: SeDebugPrivilege	1724	RpcS.exe
Token: SeDebugPrivilege	1724	RpcS.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
900	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
2912	IEXPLORE.EXE
2912	IEXPLORE.EXE
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1492	1724	RpcS.exe	29
PID 1724 wrote to memory of 1492	1724	RpcS.exe	29
PID 1724 wrote to memory of 1492	1724	RpcS.exe	29
PID 1724 wrote to memory of 1492	1724	RpcS.exe	29
PID 2256 wrote to memory of 3040	2256	0cca7dad66417eb9ae5735ead9541189_JaffaCakes118.exe	30
PID 2256 wrote to memory of 3040	2256	0cca7dad66417eb9ae5735ead9541189_JaffaCakes118.exe	30
PID 2256 wrote to memory of 3040	2256	0cca7dad66417eb9ae5735ead9541189_JaffaCakes118.exe	30
PID 2256 wrote to memory of 3040	2256	0cca7dad66417eb9ae5735ead9541189_JaffaCakes118.exe	30
PID 1492 wrote to memory of 2912	1492	IEXPLORE.EXE	32
PID 1492 wrote to memory of 2912	1492	IEXPLORE.EXE	32
PID 1492 wrote to memory of 2912	1492	IEXPLORE.EXE	32
PID 1492 wrote to memory of 2912	1492	IEXPLORE.EXE	32
PID 2912 wrote to memory of 2996	2912	IEXPLORE.EXE	33
PID 2912 wrote to memory of 2996	2912	IEXPLORE.EXE	33
PID 2912 wrote to memory of 2996	2912	IEXPLORE.EXE	33
PID 2912 wrote to memory of 2568	2912	IEXPLORE.EXE	34
PID 2912 wrote to memory of 2568	2912	IEXPLORE.EXE	34
PID 2912 wrote to memory of 2568	2912	IEXPLORE.EXE	34
PID 2912 wrote to memory of 2568	2912	IEXPLORE.EXE	34
PID 1724 wrote to memory of 2972	1724	RpcS.exe	35
PID 1724 wrote to memory of 2972	1724	RpcS.exe	35
PID 1724 wrote to memory of 2972	1724	RpcS.exe	35
PID 1724 wrote to memory of 2972	1724	RpcS.exe	35
PID 2972 wrote to memory of 1984	2972	IEXPLORE.EXE	36
PID 2972 wrote to memory of 1984	2972	IEXPLORE.EXE	36
PID 2972 wrote to memory of 1984	2972	IEXPLORE.EXE	36
PID 2972 wrote to memory of 1984	2972	IEXPLORE.EXE	36
PID 2912 wrote to memory of 900	2912	IEXPLORE.EXE	37
PID 2912 wrote to memory of 900	2912	IEXPLORE.EXE	37
PID 2912 wrote to memory of 900	2912	IEXPLORE.EXE	37
PID 2912 wrote to memory of 900	2912	IEXPLORE.EXE	37
PID 1724 wrote to memory of 2692	1724	RpcS.exe	40
PID 1724 wrote to memory of 2692	1724	RpcS.exe	40
PID 1724 wrote to memory of 2692	1724	RpcS.exe	40
PID 1724 wrote to memory of 2692	1724	RpcS.exe	40
PID 2692 wrote to memory of 2808	2692	IEXPLORE.EXE	41
PID 2692 wrote to memory of 2808	2692	IEXPLORE.EXE	41
PID 2692 wrote to memory of 2808	2692	IEXPLORE.EXE	41
PID 2692 wrote to memory of 2808	2692	IEXPLORE.EXE	41
PID 2912 wrote to memory of 2956	2912	IEXPLORE.EXE	42
PID 2912 wrote to memory of 2956	2912	IEXPLORE.EXE	42
PID 2912 wrote to memory of 2956	2912	IEXPLORE.EXE	42
PID 2912 wrote to memory of 2956	2912	IEXPLORE.EXE	42
PID 1724 wrote to memory of 1676	1724	RpcS.exe	43
PID 1724 wrote to memory of 1676	1724	RpcS.exe	43
PID 1724 wrote to memory of 1676	1724	RpcS.exe	43
PID 1724 wrote to memory of 1676	1724	RpcS.exe	43
PID 1676 wrote to memory of 884	1676	IEXPLORE.EXE	44
PID 1676 wrote to memory of 884	1676	IEXPLORE.EXE	44
PID 1676 wrote to memory of 884	1676	IEXPLORE.EXE	44
PID 1676 wrote to memory of 884	1676	IEXPLORE.EXE	44
PID 2912 wrote to memory of 3020	2912	IEXPLORE.EXE	45
PID 2912 wrote to memory of 3020	2912	IEXPLORE.EXE	45
PID 2912 wrote to memory of 3020	2912	IEXPLORE.EXE	45
PID 2912 wrote to memory of 3020	2912	IEXPLORE.EXE	45
PID 1724 wrote to memory of 2860	1724	RpcS.exe	46
PID 1724 wrote to memory of 2860	1724	RpcS.exe	46
PID 1724 wrote to memory of 2860	1724	RpcS.exe	46
PID 1724 wrote to memory of 2860	1724	RpcS.exe	46
PID 2860 wrote to memory of 2596	2860	IEXPLORE.EXE	47
PID 2860 wrote to memory of 2596	2860	IEXPLORE.EXE	47
PID 2860 wrote to memory of 2596	2860	IEXPLORE.EXE	47
PID 2860 wrote to memory of 2596	2860	IEXPLORE.EXE	47
PID 1724 wrote to memory of 3004	1724	RpcS.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0cca7dad66417eb9ae5735ead9541189_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0cca7dad66417eb9ae5735ead9541189_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd /c .\delmeexe.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3040

C:\Windows\SysWOW64\RpcS.exe
C:\Windows\SysWOW64\RpcS.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      PID:2996
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275457 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2568
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:275467 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:900
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:406544 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2956
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:603153 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:3020
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2912 CREDAT:734245 /prefetch:2
      4⤵
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:1176
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1984
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2808
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:884
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:2596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
    3⤵
    PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delmeexe.bat

Filesize
231B

MD5
879e485dcfc7cb2b8355181627a50fc9

SHA1
d122fd147d37c534e6c1ca1f55012c3b6db80aef

SHA256
9217ef7d223c99b2c9b3eea49809f673d9251bf700c59eefe21f4a4c31501a14

SHA512
496462e8097631f506d68f9fad41b3be88e3810259f00b70a1f6821f53051eb9b316527f207a56a843f03c915ce41c404c9b5b523e8cd956bfcd0570ccd8316a

Download Submit
C:\Windows\SysWOW64\RpcS.exe

Filesize
105KB

MD5
0cca7dad66417eb9ae5735ead9541189

SHA1
c82852199069aff10823f337e425fe58ebed3bd5

SHA256
1e2e6b69f0fbe06cd84afe07ddd31d9d4fddad95615a72310f5d5b1ee8c613df

SHA512
1a1ec397e2a2cde3e825676fc41fd3538cd8320a565a1a45122402a2791128a4a40ac94158f91e09da5610ecd9605c2f0402a37c57f2d5821e8618b7d56fa456

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
df0fcbc7c8e0da59ceeb856534fca9f2

SHA1
92361b88b3e0509649e94b5037e8835851a0d5d5

SHA256
102c3a9fe9cedcd2acc914f5d38e4d05f76701f4f41413ba2576136178afa24d

SHA512
24c886a735a62ca828ad79f3ac9d82a50b09f7b2fda069fcc04918ca8b0905ab618aca7b817badb0eacede1d20360f1f9973c58afc663eb2a12be2b0570a0afb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e6c66d0449dfd3aa8642b57522b2c6e

SHA1
1afab965c4dc414036914743992419b7b074314a

SHA256
25e8ef79cf7ccc22a22b1235e1ce21096836c23e870ccbe837268c687af4648a

SHA512
86f2eb4d514e5f2c38166161466cfb3803edf63250840b8adc3437882dc7eb0365a69aa812ff174b93775b2dde60e6161e57266114c901a1d9d3ae05a5c328bc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad2a9085d366aa2c5033afdcbb3650c2

SHA1
c7e5e0c17eee8a867272c3477b32b8e08764ab22

SHA256
58e7b217721d3a8f342b7c3dd2beb54c413e4b30b414fc56b5bd83a42db402a9

SHA512
99d8b188826b4d0380cb9601629ce40958a5d038aa96cd413d46a159640ad85a0b6ced1b0b9e1893cfe0437a879429778c1c94df225dbd8fbdf66f4736d2908c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c2fdaec00ba015e8b6192aa621ea880

SHA1
0331f4a01174aa74fe5e8ae0ef237165297306a4

SHA256
9113cdd47770099404889f2d0f069f3752e9b4e0676f7c461f8b137aeb769461

SHA512
4738774f82a1a93e5e53820b5bf1f9ac98b7022ff50fda39f0ab646a3955a0fd68881330d5b07640682ff563991e7bb362e7443acd4575be29cbe52bc4db00eb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b983b764a8902ee39634c6ffcd55e20

SHA1
5928fceb210b58935c91399f13750be521f8d275

SHA256
ff6c3cfb691a5cb9e6eef2b0b4824a994d71ebe6e54647681d6833406fa07988

SHA512
9441b0141eab4d7182403e3cf5422c45657632b18ae5ddb9488114f407185ae1ec58a32fbb1f9da88eed39aa95971a396d1856740e179d81f081ea2b721c6392

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d50b1dbb27d45a430b91da3cd0a96a57

SHA1
27618f8ea0e924602a2b392f8f83929699b1e3ce

SHA256
a2323027bee950aefe47b0d65b704cdbd3a4c9946be68c6d9d44e040f4bbc5cf

SHA512
0dc01b11c7ce92934fd6338b6cb3e7b854edde9665b64ca04d55f0ee4c0bb2aba7012425d1ac22d733a0906e08ea02f3c2506ed5cee65cea89f663ad6a38c80a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bef088d23ac0394536e46c088d051326

SHA1
90388639806ec6b4b3ce038229eea6ba46e69741

SHA256
acf7fc062d078fabb3c6f392b6e6dd2e8dcba1603d300050e3f8e7f5172bdbef

SHA512
3c43ed1ada7be7aba06cedc43dfb333a73fb08329eae4736a8aae2198ec34779b167021c07f5748da8c4a3c7803cded4bcc4ad26228bafa8e16f63ed50c9762c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f07343d83b9eae0085b46641467afaf6

SHA1
020b52cc1194688c1162e4699de909a79cb0c2bb

SHA256
ed4c4a4f2967f99892d399675b3fbaaa4fcb9169023c61293be21918c0101096

SHA512
f3cb4d53b21d33fb5c5eba1c30a1104abcc1273209bc62b1bdf856ff82c0211438730276f4bf1821fbe0def54e766603306786fabe45e4d4d427c5876ae46afb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ca2efd7f42e80dbb04923da43620d3e

SHA1
d8b66c3af0036d4aed5ecd5df621689a95f815b9

SHA256
0dfda4ee8d63d38ce87c4c1bbef6a66e3cd3bd32c88bdee22033b3ab76277044

SHA512
ccc7a38f13114be7892e0b057a9ec6d63c0ce481231c5b0833aa5f8009bcd760875b46b8e7ac5f09fab2e65b076541062b9f9de1d34830cb4edf254bb08462dd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec2826c19f79fee578f76307ffd01054

SHA1
b857f464fc86252df8782f1677e1d62be3091a35

SHA256
d99ff51edca552a5c36fcccb78c63cb29e033c00ecf42d2aab02390be99fb2f8

SHA512
0a4d6c6b4a6a39dc025e942562d220c2e9820254d8fdbd15a2ef4cb27f7059192f864405b5bf21cfbb292a92c90592b29bab8df378bf8d359e3a62e0e26115db

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
588a7f70fd9198548dd809eaf4ce657c

SHA1
9571d57888508f8eefdfcb85cc2ba3a221a61d02

SHA256
7b6590b64b53e6224ecf3f488233a5dd21e0194d734729f27c57ed72b3354755

SHA512
08c60efa83eca1687500b79aa4806ba9f701bebe9bee8633ecbd784858b67b4212ce11281ff54cd43d3425139471d7fff9e5ada779d95f9b1457bb4bfee73198

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d72c28159bfd7316e5fb243baadf2120

SHA1
45c6cd324f63a50219ad45dd599b386e5d66f2be

SHA256
7057796e124bc346f624a45f564da752e03f0c88b4e9f7108b18f564de8a6052

SHA512
87d4dfe916b0c4b92f0acdf33cfea14d5317802b48c9062ea0391a6be3d4c2503f81e04a829139053ee07680f4de40fa837459c561324f1aae9d9173f91c0c08

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d5115ea6b6de67c7b370c9132042053

SHA1
0af4ef0611043d3c4ee5416e05aeef1cfda86928

SHA256
16dcd05d841bf8b1040d9f3dd883ad80a884fc914b98621987eb453015d9ad34

SHA512
d1fc52cd27f025bd0435a50be6a4820eac78c22cb2aac45e981822205074c4cfe3a869e7083b6f25efd347fc8fee5d4205b303929d4f450dd011f291fa2cc162

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9ac5ece46ae667770ff97b8abb4c844

SHA1
2b8c2df633c38f9aa45ed510b3d162a9d13955de

SHA256
973787efe4550e9bfc22ad4215d083903e26420f8b897e1403a61ee6db1ca8be

SHA512
d0ede995469045c43524b4a72270b3274a6bbea150a0110f05c05840984c6dcf84d8df5442b6acf03e7f63edc88541a11308d996ca4dd83fe89c258f51cfc013

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a3c367db8cb5918e1e233bebc1aecea

SHA1
e94f161f99a3ddff582598708fffe86b5ffb5957

SHA256
6cc62a846bc8ede4b2eec4779deec4b65bc7126e44781bca702eef49bbda190c

SHA512
62eb30214b17d7b8cf83dd9f209df22dade8b87c169b7517f3e2f5374d1edb4ba79837da4a8cc922095d24b224e35c39251c23f01d9803f4bfdf940cacae4c0e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdf4e7606213266e860d07893a7a87ec

SHA1
4602e9f7d4544baf31383d1648638ddbffab2a65

SHA256
bcb57a1f1f3b83b6fae3c5a20959d72fd28b7dedd5cf1923fbab43e1a37041cd

SHA512
5e9cbb5f58151d8e9b923eef3bda08ed7cf26902ae87a734390dc09a6fdf7af9774d311c7e6d1217269daec28299277e32c49c0240069c63cdcb79f38df71a9d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcbfde6e606ebcbb5f9a406cddd7acba

SHA1
e0109de6d28faf553c64cdd6ddd0c7850aa07bf8

SHA256
63aa90551f30e67cc7643eeafb4f5ea6df8a73f6842d6d1068293584d47650e9

SHA512
44780727f205938e6d8c34d2e410331e183095e739d2eb3b45a0c21d9d5bb34bb5af614e4e22066fb542ae4bd64017173a2488f764b016fadec2c3e535e18f3f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b0eef1fb6cf12a180b068ed635dae51

SHA1
f906df167e4555099f9b8a903d60747e82a22e01

SHA256
ff0e9c63cafd42bfc8b5afdbf0557cc62ff2ec0ce03c5461fe8b3e62ffa8dfd8

SHA512
eb54c6731130c1288770672cc4d19480218d07b6666dcd81dca4eb896820439ae4552763a04224e18408fcf476cdabf58a248fb749dd132b998a5b6543255423

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5432fc7d89bfc963981a906118ae0501

SHA1
6cb7c920e03337ac87754fb514409329d1474c82

SHA256
444ba6551bd74763a5874772302874b8fcf962215b84deb6a01571a9979fe01f

SHA512
a7db05d18e626d0a9409613ad24eaabf701165ce555941527f3d4f288c74dcdfdcbd505549c94ba94eeaf7420c59f8a28997126a4b43b1dd5c3ffd232a045ee5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
36475d89594fe1aafacc61da75c399d8

SHA1
a07b35c7faa18eebbcc3113ed8feccd2cf720737

SHA256
84e2174d44ec1ebc8b9a81af85fc49bc678bdc3b2a18a5f8cfa9df0c0e39aaca

SHA512
7dc045244bbb5d4d7546166b7d90155a8e9af4900b5c346de2b45ec52a1d513b267075bb04329871354c99b2e8d80f7c6fe813f6b4d0eb969618d874aabc669f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabBCBE.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarBCC2.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarBE60.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwB107.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwB108.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/1724-4-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1724-716-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1724-725-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1724-722-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1724-717-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1724-1322-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1724-1331-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1724-1334-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2256-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2256-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download