f71bfea2e40f694a2f83fb99568632b04b7ac154ab0b46aa2ea92d32b21a8fa7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe
Size

929KB
MD5

3a263feb4cfd5e232ccbadc3cec739f5
SHA1

6e1312546cb23ce0c970640c592bcb9c1cfe9bc2
SHA256

f71bfea2e40f694a2f83fb99568632b04b7ac154ab0b46aa2ea92d32b21a8fa7
SHA512

5fd37927241db61a7c6bf3b04ea4f1ff9014b55f087435fd277183596c6a6eeacbaacfeaf1d8899d493f162da408ddf6598c5019bc267135f59e71cbbb8da59d
SSDEEP

3072:1TDRyxF376K115CIAk+yRQUr02D1f0nZzBbQpSl:1TDRkFL6w5tYyRQT2pMZBmSl

Score

10^/10

defense_evasion discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 18 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htlog.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin97.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kis8.0.0.506latam.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardhlp.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\esafe.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcm.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscenu6.02d30.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpdclnt.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\watchdog.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SrchSTS.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\undoboot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winroute.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unzip.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccclient.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcfwallicon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2Fix.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbmenu.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minilog.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netcfg.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsecomr.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\normist.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notstart.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zauinst.exe	winlogon.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
4692	winlogon.exe
3372	winlogon.exe
4188	winlogon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Indicator Removal: Clear Persistence 1 TTPs 46 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEINSTAL.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSYNC.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGENTASK.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WORDCONV.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32INFO.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCEL.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEUNATT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSHTA.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOHTMED.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOXMLED.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTISOLATIONHOST.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNTIMEBROKER.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTEXPORT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOASB.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYSTEMSETTINGS.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDXHELPER.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETLANG.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IELOWUTIL.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MICROSOFTEDGEUPDATE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTDIALOG.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRCEF.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOADFSB.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTEM.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GRAPH.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCORSVW.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSFEEDSSYNC.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCELCNV.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRESENTATIONHOST.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 508	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	85
PID 4692 set thread context of 3372	4692	winlogon.exe	91
PID 3372 set thread context of 4188	3372	winlogon.exe	93

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5064-0-0x0000000000E50000-0x0000000000E8C000-memory.dmp	upx
behavioral2/memory/508-1-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/5064-5-0x0000000000E50000-0x0000000000E8C000-memory.dmp	upx
behavioral2/memory/508-3-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/508-6-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0008000000023cac-13.dat	upx
behavioral2/memory/4692-16-0x0000000000680000-0x00000000006BC000-memory.dmp	upx
behavioral2/memory/508-18-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3372-22-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4692-24-0x0000000000680000-0x00000000006BC000-memory.dmp	upx
behavioral2/memory/3372-26-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4188-29-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/4188-33-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/4188-36-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/4188-32-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/3372-81-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4188-82-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a1000000000200000000001066000000010000200000005bdf0013c398f9abaa7c060ec28e78b75ac73923d1fe80dc2a1183332eac8a5e000000000e8000000002000020000000f2a8335346a402b262b3de9d84092670b35d9179b9826f223e10e165a6178ab2200000009b9ad0acf19ae90ee33995f1c8e55b9a0492025bb5d473be0446cb5c3f582dd0400000003da800b4892d4ed5b0fc69a435a13292efc9911d7551c0f72ac41bfdc4545167df8728b23894dffbbde9ecffe21ec04b2132e906358f0bd7115c0256c4408f32	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 704d34f0a61cdb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://1zf7j3z0zqlke8r.directorio-w.com"	winlogon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80c1f6d1a61cdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 309a75f7a61cdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50a8e7caa61cdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b2dcd9a61cdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31136934"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31136934"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://8ep8iz473p9yj9u.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://399l5ktp0znk1d4.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a10000000002000000000010660000000100002000000071707854e26e937fad08c79c211fc87939f9a23176ead81d14cb543aea2a6faf000000000e80000000020000200000009146372883837f02e0e2c437665739ef21aa0d07c47002fe64be1f402c753185200000005a2dd0fec09a821c97b957df62cb74f1cd0e652714f45f719d68511aa27b17d8400000009a39be319234a76c16a5fe53c7885a42553478f685c8242def30cb326b7397098c8a70d049aed9aaa4a95c66bcdd6201e5215deebba32880a2db82580e32226c	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b369f7a61cdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e285d2a61cdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a10000000002000000000010660000000100002000000023414260d83c43f3e2beea6669a88c054cacd1c8dc44587e7dd982a3b0e8b90a000000000e8000000002000020000000a15a0b096b770a100b4ef5b510eca303c48810242396aeedaaa1eb4a8b5bceac200000008a353c7d40f552a5a0dffa5ffcffb25e7c50e3927063ec8a856d9c53aac60b10400000004affc267df10e0229ad9a9e9d080364ef6588f93e5e6d0cfdd6b75f555394d3b7177b8a6c02508ed7f13c1f8529adc8abe93ca875768cef15cdd57d5131f37eb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3689025457"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://706xkc0qt64yb86.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://475cg35g29l78vj.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{07847118-889A-11EF-9361-520873AEBE93} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435503035"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002322f7a61cdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a100000000020000000000106600000001000020000000be1e979996f25c3a4fb19bfeea900ad8f2a1bc5065eabd3ce398e6b0fbff4bf5000000000e8000000002000020000000abfb3946444f43917b0cae114d37c0e8c9287989b5d7682e91a6d9e4a49e7f78200000008f6bed6dfb9e8ec735c0908218e60a7c2066cacf3f02d2437f7b0522ea38bcfa4000000020f292cf6c17ec826afe54520285dfbef52c3d42beb6a4bd20122631c7955da2023be52b0d023d6c970d76d9f9725e1503247316ca83ff21ca7d2a5522b1a2ac	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0d4ebe8a61cdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a100000000020000000000106600000001000020000000d621e61efbf9808d53b68ae400d8b3735f798348a58626d64d4ccc6b2ca4a061000000000e8000000002000020000000ccf219ca6f113632eaec45a1f846da3fec28a8e4d4fd59f62f4beb6b0765390920000000e0197c553ab1ae161bc767d473f9ce2e095f006015eb283a1bf68b6fe31baba740000000db707685eebafcfa3eb4ff7bf95cec8522c8052dcaa493c7293bac96dd6b32ac2039bb128554b06b719284ec88355ba059fac7fa314190376ed53aeb3d86fd57	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a1000000000200000000001066000000010000200000003b5c111cd4145b48667fbe0f5a4c694c1e5821b552fb62a59053ae07130b2886000000000e800000000200002000000053d232e96af60c899f54d5b61e1456808405aaff82923fc01dc8908978e5c1e420000000412ae088b023481a875b4fcba1cdc188837660fb15a98929f512af0a6cceaac7400000002a764f199ffe0d473a24bfe27b3c60358e5529800b956f8e73d131e92b61cf022e4cb760adbfb7fd914a17d9c5b543a627bd7dfa3afc5f10d781a93c81332453	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a1000000000200000000001066000000010000200000002fadad4c72da38b409b7e6ef1173859dc197e1409981ec6d47ea770a38f33e2e000000000e8000000002000020000000594c0b02a2fa6a9b8ac8d70d031b265e585e7c68b9575da69442afc51541c465200000007bfb79c187e49ca6af79a79f66a8f71b5f97715ce6e0028d083ce4dfb9bb75674000000073ebd1420ff13c18cf65ef09c744fbee8035a2f2fbbefaabfc018318f913275ad3fdad6e15c6a75eaae084f891508f3f604cc31414c3747a29d51e962b07c2fe	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10f430e9a61cdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a100000000020000000000106600000001000020000000267b453215c6c3f106c449e72a05ba3bcb72294028e09a890ec9bc70740c01f1000000000e8000000002000020000000bccd8dd7b75aa6566b645e587891494ca4a7700754727032ba5793347a75778620000000d3fc0863cbfbb7eff70829c6145f0d640a7ca4f9b4a2d2902ea5647799fbf431400000009572a2db3aecead2170ac69077f93efd5194256f435dba7803b619ce517f3b096caf9f656bdfbaed13acdb60a489bf2ba19766de0e90dd374e5a77062e582fa6	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://2f74e1m07v53e1o.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a100000000020000000000106600000001000020000000e617701e8d4428457b0f5e53a2d3f0caf7ab3a7f391620c21439e4bc54ca0a41000000000e800000000200002000000040954803d3ebc8773efd8dc40ef8f317f5f7ceebeda4902ef1687082affa4e8b200000008d83e32a8e5d7a7c59c14c606a2a0d73d4dfcbcaddb6fd7d5a7a32439adecaa540000000e814bdeb7cb052c04026cf1ffa31d7c313f72fe6d9715cd0a00e6aa5b590427263c77c4bbb84d9a6d6541666a3b3bc2911a653d4eddeaee6983d6fc5d7bf693d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a1000000000200000000001066000000010000200000004875ba1669238cde8e6c758eaf88a693f165e76e40cd6df8087a68fecff8106b000000000e80000000020000200000002386b82d3243c76054419c343fb9a448f9e6da91cac42cd64caaf5cb38e547062000000081a82820afd9c681bc421c61b520a62399639fb10c9d210d69b04704cc415deb40000000cca9059e2ca2505be2bc64058ef3f17b736640c0dc47cdf08a2b59d1ca568ab2f1a58e254815da2bec8af6934e474b2193e69fdfdf06c379780731f2a8983c73	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3806525999"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a100000000020000000000106600000001000020000000685c9fe3833f49b30ef6884d523e4d3ffb8e5c6f6832e891c1eb3c56efd2b296000000000e8000000002000020000000e6c754ef50256a6b073665cb19b82f01cc4f967ac5c9cfd9794ab13caf0e72a5200000004cf92e3b38b5d7c2dffc3d566c8257496b06a9a7bd9b5c07fe89ac6f2cbee47f400000001c5f56ae3df310b254bf7a2fe7fa305658c64d46b580b3925f01ac35b2db7a62372729d411993481bfe9e67ef5e25f3fe5403e92651431deb16e196d0ad86e71	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a100000000020000000000106600000001000020000000d4908ad7fce4f9feeaedb216164f1bf1d73aca8bb92587347181b044ecadf9ab000000000e8000000002000020000000bbbc101686f8a89f441d4f84dba374a983d80b04176f53b0e57cea5c992abaa220000000e1b691b2ef34a5829a5e548b01b6878218b5840057c411e0422f1761aa79e9c240000000f63e4903aa084e4cd12b0ebf89583efc607047e844197ea33178fbbc338b486f96a021242d5cec4132e32e266d9c0da47d3a41d0c9395ad5ebf7593b4e13a89d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3690588360"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a100000000020000000000106600000001000020000000d363fcbbe29e0f3a17812ee2a43e4a0bf002dc0303ab9c75a94263cfa3b032f5000000000e80000000020000200000004cf834278c90c111901a93504824d0693d66890d1ba11a1b3567ec14246b3094200000008c641cb0150017eb5c27b83cb933afdc4c22e22548eb3012763e31773e8105c440000000167949be9c2150f7253f6e73f7776ede0a4ab186cb29d831b2f8d4bff36948b1dd353bd798c3919a63ec8616de3b76fcab6040b55c7f4175b27cfad01f5376b3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a10000000002000000000010660000000100002000000037186c48060c5b3af1e43c7f8b42738aad8280e6584eb61367d010e73ff05f4f000000000e8000000002000020000000dc23ff23bc696e64d5178cc3a646adf6596c06b73c0f509d9842c2578f9c5258200000003c2888260555f72ed2e3c133eca99605279b9b22de17a781608c58397930042c400000007003b63dcc0e060bcd28d54fe4324ad14a71e85c0338e1d40d630c275e7fa7ed190734b47e72a24565a8a8021d176df70245553f886c2fac63d55e7bd8c26627	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 001211e2a61cdb01	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://32940o6k9j613tj.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://32ovt9dh1oty503.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4188	winlogon.exe
4188	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	4188	winlogon.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe
2440	iexplore.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
508	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe
3372	winlogon.exe
4188	winlogon.exe
2440	iexplore.exe
2440	iexplore.exe
1392	IEXPLORE.EXE
1392	IEXPLORE.EXE
2440	iexplore.exe
2440	iexplore.exe
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
2440	iexplore.exe
2440	iexplore.exe
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
2440	iexplore.exe
2440	iexplore.exe
2184	IEXPLORE.EXE
2184	IEXPLORE.EXE
2440	iexplore.exe
2440	iexplore.exe
2176	IEXPLORE.EXE
2176	IEXPLORE.EXE
2440	iexplore.exe
2440	iexplore.exe
4676	IEXPLORE.EXE
4676	IEXPLORE.EXE
2440	iexplore.exe
2440	iexplore.exe
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
4188	winlogon.exe
4188	winlogon.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3680	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	83
PID 5064 wrote to memory of 3680	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	83
PID 5064 wrote to memory of 3680	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	83
PID 5064 wrote to memory of 4728	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	84
PID 5064 wrote to memory of 4728	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	84
PID 5064 wrote to memory of 4728	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	84
PID 5064 wrote to memory of 508	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	85
PID 5064 wrote to memory of 508	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	85
PID 5064 wrote to memory of 508	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	85
PID 5064 wrote to memory of 508	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	85
PID 5064 wrote to memory of 508	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	85
PID 5064 wrote to memory of 508	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	85
PID 5064 wrote to memory of 508	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	85
PID 5064 wrote to memory of 508	5064	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	85
PID 508 wrote to memory of 4692	508	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	89
PID 508 wrote to memory of 4692	508	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	89
PID 508 wrote to memory of 4692	508	3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe	89
PID 4692 wrote to memory of 1556	4692	winlogon.exe	90
PID 4692 wrote to memory of 1556	4692	winlogon.exe	90
PID 4692 wrote to memory of 1556	4692	winlogon.exe	90
PID 4692 wrote to memory of 3372	4692	winlogon.exe	91
PID 4692 wrote to memory of 3372	4692	winlogon.exe	91
PID 4692 wrote to memory of 3372	4692	winlogon.exe	91
PID 4692 wrote to memory of 3372	4692	winlogon.exe	91
PID 4692 wrote to memory of 3372	4692	winlogon.exe	91
PID 4692 wrote to memory of 3372	4692	winlogon.exe	91
PID 4692 wrote to memory of 3372	4692	winlogon.exe	91
PID 4692 wrote to memory of 3372	4692	winlogon.exe	91
PID 3372 wrote to memory of 4188	3372	winlogon.exe	93
PID 3372 wrote to memory of 4188	3372	winlogon.exe	93
PID 3372 wrote to memory of 4188	3372	winlogon.exe	93
PID 3372 wrote to memory of 4188	3372	winlogon.exe	93
PID 3372 wrote to memory of 4188	3372	winlogon.exe	93
PID 3372 wrote to memory of 4188	3372	winlogon.exe	93
PID 3372 wrote to memory of 4188	3372	winlogon.exe	93
PID 3372 wrote to memory of 4188	3372	winlogon.exe	93
PID 2440 wrote to memory of 1392	2440	iexplore.exe	98
PID 2440 wrote to memory of 1392	2440	iexplore.exe	98
PID 2440 wrote to memory of 1392	2440	iexplore.exe	98
PID 2440 wrote to memory of 2176	2440	iexplore.exe	100
PID 2440 wrote to memory of 2176	2440	iexplore.exe	100
PID 2440 wrote to memory of 2176	2440	iexplore.exe	100
PID 2440 wrote to memory of 1256	2440	iexplore.exe	101
PID 2440 wrote to memory of 1256	2440	iexplore.exe	101
PID 2440 wrote to memory of 1256	2440	iexplore.exe	101
PID 2440 wrote to memory of 2184	2440	iexplore.exe	103
PID 2440 wrote to memory of 2184	2440	iexplore.exe	103
PID 2440 wrote to memory of 2184	2440	iexplore.exe	103
PID 2440 wrote to memory of 4676	2440	iexplore.exe	105
PID 2440 wrote to memory of 4676	2440	iexplore.exe	105
PID 2440 wrote to memory of 4676	2440	iexplore.exe	105

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3680
- C:\Users\Admin\AppData\Local\Temp\3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe"
  2⤵
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3a263feb4cfd5e232ccbadc3cec739f5_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:1556
  - - C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3372
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Event Triggered Execution: Image File Execution Options Injection
        Drops startup file
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Indicator Removal: Clear Persistence
        System Location Discovery: System Language Discovery
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:4188

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3276

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2224

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1392
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:17418 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2176
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:17426 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:17434 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2184
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:17448 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
1a59df6c289a1d854a026404b15a2135

SHA1
13f5b70076de35b26d8470a723645c962df69320

SHA256
a4449204c7effd91c3f970bf8badc05be30eba358cb33bb6c92ddd4ede941add

SHA512
b2b6d28b4f1ded37f9e2e39c896e6d05623b1034ccdbf06fa02803da74abaa5e6b8d898c2b757ac8de9fd80ed7c3229a6cd2948dc17aa81397f3fa5e2d8f984c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
2KB

MD5
45db1a5450af1d75df162e4fdc994beb

SHA1
001bf5f5f8ff50ef31413404d2c8c41d572ae3bb

SHA256
a16fd7c4ba43c23a28748dc1b930b337af1fc8f0a0f6a13d99ad01b3c5612bcd

SHA512
d5f80ac606ea95575331f694260dcee26e6e20f0f828d9e26e03a5fe7f4eead2e6cb148a1ec0951c7e46bc4695994f4afcef343dc2785ba36922b03b3e5b3f12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_A3FC0BC6A75F11C789144CCDE90F5957

Filesize
471B

MD5
487bd4e9f19444919463ed023a61e84a

SHA1
9c6b75c5ad9a8242a9ab163b168fcef4d13f947e

SHA256
7b30323702c25a706c6320063b3876ff37cfd68b794a4f3359c0aba6c2f75391

SHA512
a2e7e9b70245a063ff46b45ccabeddb645e9a56d25312b8351a8ada6db367866127aadd4711fec3f330e109bda4de02c53d02240013eb14297949f43d380466a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
2KB

MD5
77cc8ba82c11864629f2b06cd1ca841f

SHA1
814879c9d3885cc581343d0fbef5b9fb557a5d3c

SHA256
a28e57bd3d91c5330231424719e81ef52eea7a664de81b602006f0d8c51de3f5

SHA512
7f90d8127e440e69a68dca4574003fe3999d9d4589bfe37628dc1568b7e52f3b94dba87c43a7e6e2cda015436779fed4bd0c4b81a8cc5b6d7aa22ce1b8ee83f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
d8b6bdb2d3a1e54b96201599993cdd3c

SHA1
b5349c15444cb8cca529570d94640fc689abc4e1

SHA256
517ee5d8daa9208705ca4b54f5f0679040550a053bdcd378b590cdd2544e0fee

SHA512
db8a234d65eeb2a409ca459107aa5e3f39ac09c3f228efc3fece118624a04d7365ef900036d9cd5556a74c43b2df96cffda42a7de2e18e8d3e5b8fe37c4e7a81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f5e3f4cb974b85cbceaf19b1e9da16aa

SHA1
a3fce2d319a7ecfe9b889a52ffd1d22f05707f60

SHA256
be9e4de6a3ab5c19adf39cf0741368a285b2a61d05bd0387e01eb6fbd5d8d00f

SHA512
6331a6a6a64fc9bc925f3b57b7f55a848c4886f907b7e332abb34624ae7be54598b2a02ded66fc8b1bc89d96a36b99f565c027b101ff9a7f3b497994d2b50704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
ce416b0a9b157c21cbae6702d62a3f3c

SHA1
5204243f9f8d63530152beee1de7c9bf0766307e

SHA256
7c86f863f651c885ccaea50c99308a5bd6b43a2a0ec353a90262296ffc700d61

SHA512
96efcffd53801d9922652ee2f5aef8da9de0d0e0c02be30ae40c768b3bff180fd75562a49bf89e3d543ca985a0d093c9761b5b9b62d9c507e4b1fa06c37bcad7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
14ede78f7683dc05c948c4e712bee93d

SHA1
025dec45aefe22abffcf700d175d3c7a413b276e

SHA256
4e531490205053b0f766e4a371660df047707993e635ec0210fe2b8c9a4fe85e

SHA512
bf2fe8934bf8e58eb2892154e3c78d3a1a7a44e5f7f0207ba475ce264879f93569fee22b3523a94f1bddfc04244e593dbe7420dc50e29a3bfbdf7cf018b79806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_A3FC0BC6A75F11C789144CCDE90F5957

Filesize
414B

MD5
4635a080ca26afbbc779441c11851181

SHA1
2cf851ca1eefca01fc99f62b21a1f6b460e24683

SHA256
4c0ad336ef3c6cf5f501dd3b1f2057911d612b4aa6ddc9f33fa420f4bc1584bc

SHA512
d1c19494ca4e44b8b60b682d11815163232207c82aa18db01e05f15390eb359c3fc375668d4aebcd2c9abade104cc5061f4a91392dde364fa005c5370d574d41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
44a4a4140d32f0dd30a1144ccf265346

SHA1
f57dd62dc5a830fc11eea9ba8fe022fd973802c3

SHA256
3fd9bf164cbbc8ee923363e28b7af2889a4a4ee2a048a5fda922fb91fc34e00d

SHA512
3ff8f68e1bdf0acb8591b41d3a39a316dfd09e593e5059bdf05262c5cd1e0a2e7c4b67b0c2f1ad27e4e0c2fdd706009a7a653e18b3e6a1389064a4537b4d0ed7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
33de821c5bfd976b31a9da1a0760e0e9

SHA1
99946fd4f82fce16689de99fc20e4306d46b56da

SHA256
ed46512ac610d969f8af7a0b2d44babda3d1fdd0d0ad9599ab2004295f53fe89

SHA512
25de1ee0f8ae957bb82c09a5c8a403708b822b67ec81b6d8466d9d08ee604a6949313c3a802405811b6f907f569743e2fe23f31b40ec1ca9a76c4f04417362eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\caf[1].js

Filesize
150KB

MD5
e3e9f8d95588fd88a52bcbb7a5322cab

SHA1
92c3a1c0040603cbe84e0103babf7ab557719a4d

SHA256
4c67a3fba6eb146cf2dddadbeebf1b393199b4514457ed756fdce9fdf9a285cd

SHA512
6378044060acdb782c23b295feebc49858dba4b571514cbbf57292c615595baac3d8417a1d3b83649747e7ee8aea7ea61201fe0acf624320dcdd636fe6f7f01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\http_404_webOC[1]

Filesize
6KB

MD5
92ab50175c4b03970f264c637c78febe

SHA1
b00fbe1169da972ba4a4a84871af9eca7479000a

SHA256
3926c545ae82fc264c98d6c229a8a0999e2b59ed2bb736f1bda9e2f89e0eeac8

SHA512
3311f118963ad1eaf1b9c7fb10b67280aae1ab38358aed77c10f2587100427af58c7d008abb46ad0f59880ac51e50b5a53fc2c2a96d70f5ece4578ab72382b7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\main.36e19f48[1].js

Filesize
674KB

MD5
449b102f3891baa1b7e19c676a443066

SHA1
09fc9b6b47f792e96339121fe61a7b1c53c8481e

SHA256
81a5900839e1bb0d7504909e489997d1dac54fd473face4168d9377d73cfa46f

SHA512
06162c2a757dab2dc244e22d1f022f2f65e6fb9cac72b2bbf5a7e266ac80a1392ea04c9651fd6a3535d22c59410588659331f869e56aff395cf72f3ef1321610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\tag[1].js

Filesize
58KB

MD5
7378d3ef3bcb274a3fef6a74579f059a

SHA1
e8d6929cee9bbeed6519efff66d2183aa4cc323e

SHA256
076fe7eed544528a51dbcab080a176591e0ab5b5f4dd2f5b2083a142f083c0c6

SHA512
f7f15dfa27558506783687adede1a1a4aa88b6713026a21ecb4b98c8d63a2075d1dd04e3bc36b80a5c19bec491a3281126c7af5b3de92980c2c6a76ffb6f9ee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\B24BYAD7.htm

Filesize
872B

MD5
a1462740e596342ff85d070721f242de

SHA1
0294531bc30a32719031f608d8d3b1cd58f49473

SHA256
41ed748b165204d9bdf33e21f1c6f38f20e46e8aafc3cc3ec304322fe1cff6ea

SHA512
fbcd07b00e65f26620cb4a430fc027154655e68dea4ad2b615dfe5be4a8287c4ef3f910bff198273e226decc97611f4c6025dc7c083b22adc905f5d4a92427a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\OQXME55O.htm

Filesize
872B

MD5
7d6c53818260717f6bc05a942e227220

SHA1
085e72394f31b1254f7b2aa821bdad57e065de06

SHA256
dc237c0de81d57ac2bf29fabab1a9ac824b407811eb4cf6272acec2be5ff38fb

SHA512
9aed6f0e537bb42bb2a5d92aa04d6b7359eeaa2430113f676f754adc585590c4e26cf87a6b59dd99bf535b2fad27945c4153f92d03a291076adeaeb23f50d06a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\PZPXJREX.htm

Filesize
220B

MD5
8675b7e831ca32c181bcae97697f66e1

SHA1
e55bd6a8e1ba6b9f0ab83c92899b67a318cf4aea

SHA256
eec20fed1b69999e8d0bef7a6004193038c97f7a19d52fd6afaded1c0edf4ef7

SHA512
698696eb393f8d54ebc9bb478f79a934c4813c59ddde879591e425811493fc94352e649b745d976f3d877b6241dab7f6bb38c2f3b9eebd9fcd2e94dd754a2066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\ZQH6UP7B.htm

Filesize
872B

MD5
648101bce0268afec2e00f45f7641bfc

SHA1
5d845a6ce590b990ce7125c4bed40714a14b681b

SHA256
a2ec7f5932f7ce8eed7be27f990533a471469cf604fbc640f88ae7a5250f9d76

SHA512
c87691c4094eae19c261128efffe91da5bdbbe3c9ed17f8939c6d9097eb8a45d29a1a3402bb018ef7ada4a395f81c79f268505691734aa98ca260b72fa442ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\main.ef90a627[1].css

Filesize
3KB

MD5
3f821ada778691e677aef2cea8c4b4f6

SHA1
643e7b729b25c2f800469623191dc837798e9d50

SHA256
7510035d553a99fbf93eb67737b2df057ce096fa1ed7aad83cfd559e11f2320d

SHA512
8993a8ad28ed4035a022d1b7274c77a97b8235b2ddcd5e6d29f7230d375851539900d4ace652c94c4be8a8284ffd86501df420385a6e680df4222c162deff4d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0TSRVAPX\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\181GGQZM.htm

Filesize
872B

MD5
6389d84e40254b06f6780824bf398ba4

SHA1
bb94263a89223ad3c892b55e53e3bd65939ede31

SHA256
23747cb419a665625623f5eb6e15c990cb2811ac85f9829838a5ea1eb07c74bb

SHA512
65cda3a05c826ee5f16436a9354f09ef0804ffc0cf01a5153dff85ebba12fe7b3dc45ede10ac140be29ef66667a7fd7d3ae65c701b988dec23c8f3e39a2082b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\DNTECG4C.htm

Filesize
872B

MD5
6bd7c5b75f1130078bebaa108271a7cf

SHA1
121f90ed66f23d16eb7c0ccc7daf8046c4ace227

SHA256
70610f733b5c978c9e93a22b69831f9d15b87ac60de61f6caf80e194debb2a5d

SHA512
743d3b6e3a23f21b61450900e8f1322440c6e01e64a8c8fb4e28567b2a158dbeecf842fd37d71f4fb9920f2216e0ab4561c7c5ee173811361030abfad36ea57f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\ND187KAU.htm

Filesize
872B

MD5
9cf48f1866ebbfcaa764153cad6a51e5

SHA1
2a736e2848afa9b1370394931b4feb137ca071df

SHA256
1e44a2b7a492c679e4faf158a4b478e938de7f451dae733c23e7d2e1115ebacb

SHA512
6986b463c0920af1bf9d63fe6c2b5bb9157489c85908f8a7a934b94b9d282a3c3345136ca7fe3f53ed8d74218357494c8ea727179ba5bfc0659f487284d78db6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JAZ6MGFU\lander[1].htm

Filesize
620B

MD5
b90de8db327e4bbd8578971715c20f6b

SHA1
4a86f6e7979314934775d934d6f00e96a3ca3418

SHA256
5e082d46aa366a8e97c98d5ea3bd3811ffd29373698ec0d22bfc5ebd79721f9b

SHA512
7abf7059fd439c388998dd00bc8093e39fe42bdd05c7a5ed8c0001903ce071bed47f9db649be9d27e657130b59739d63c8f905d1df5f4be6ebce1afb55ed333c

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
929KB

MD5
3a263feb4cfd5e232ccbadc3cec739f5

SHA1
6e1312546cb23ce0c970640c592bcb9c1cfe9bc2

SHA256
f71bfea2e40f694a2f83fb99568632b04b7ac154ab0b46aa2ea92d32b21a8fa7

SHA512
5fd37927241db61a7c6bf3b04ea4f1ff9014b55f087435fd277183596c6a6eeacbaacfeaf1d8899d493f162da408ddf6598c5019bc267135f59e71cbbb8da59d

Download Submit
memory/508-18-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/508-6-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/508-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/508-1-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3372-22-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3372-26-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3372-81-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4188-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-29-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-82-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4692-16-0x0000000000680000-0x00000000006BC000-memory.dmp

Filesize
240KB

Download
memory/4692-24-0x0000000000680000-0x00000000006BC000-memory.dmp

Filesize
240KB

Download
memory/5064-5-0x0000000000E50000-0x0000000000E8C000-memory.dmp

Filesize
240KB

Download
memory/5064-0-0x0000000000E50000-0x0000000000E8C000-memory.dmp

Filesize
240KB

Download