darkcomet | 16b23e2f1893ebfd6d98d5ba8f6ff45d143a8b5fa0672fadaf0e44be72b359b4

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/10/2024, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Size

5.2MB
MD5

4ad69c1a5f6459baf6fb722edf533f49
SHA1

f47f0c62826013d8506700ec7c5c2a5f3dff6bc0
SHA256

16b23e2f1893ebfd6d98d5ba8f6ff45d143a8b5fa0672fadaf0e44be72b359b4
SHA512

0d91fc35dd06a457543f9163231ef39f6913052641a35e21d8f8e234705277f1ab3fd30072fbd2b880eff8f1548455d09fe6c8c4d84f9bb92424fdf3ec6724a9
SSDEEP

49152:6QDgok303Zzl6QOy94YaJuFXkTIlrZ0ISiRctgVf0d2ZKwr7cUxEUotoKVbmqSEq:6QU/sZzNqNM+IbBcfdHVbY

Score

10^/10

darkcomet adminastor discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Adminastor

psshackteam.duckdns.org:1604

192.168.1.21:1604

Mutex

DC_MUTEX-XQZH4JA

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
FxgyqdzTfgm7
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe

Deletes itself 1 IoCs

pid	Process
2716	notepad.exe

Executes dropped EXE 2 IoCs

pid	Process
1664	WIFIGUARD.EXE
2828	msdcsc.exe

Loads dropped DLL 3 IoCs

pid	Process
1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	iexplore.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2828 set thread context of 2672	2828	msdcsc.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000091f0dfa4ef07c51a6a65cc3281c9a0205ef068d583d5a79ec3598db9279c7ec4000000000e8000000002000020000000e1146886427437067a467925b1836e08da5c0f7882ed174a726c39416b712ca0a00100005b8fce0ef092ae8e6303b74978d22ed30d3a9b6512dfd3e7a6b390a9215fb25a6fda8280371e4d4a124ad6aa130e67e1954b8ddb5c0c6d24242e1b4734034195fde325dea9794d08f70eb647a7edbb1152a0c867c5aebf737c8d4e50ac61ac0f529e6fafa56d0a693751e36f2efbd8454d373a493d43b3f2ed459a324666c3ac233df8317507e9264829cd9f2115d575b9bd1ec898cdc7f396787acbae2d20e0163372b19185408185dccfdf77a92a6e7d1011655dcb484ff6237ae10dd878f0580403495672cfb7067c7c140b3ab9758b820ccf6b20990143c13ebc9843db855d393e85ba2e98746b557730b594eb32166589da121c1f8e6c50be5f85dae76e9a38759f178ce7096fab8e3960cdd8d0802a65ae7d2e26e98327e10f753f203bd599f43ea85458db7a99c0819467b3fecc3c66a7f00c831cd52870c8c8aad9c52a4eb3cddc6dfb5ba49ea6949514af568e71da6bbd4bf8d58e27ae4936da544b11feff42a0217584e41f82d555849af2cbf36162e08cb2b87a5c2fd287681ff4f53965ab0b29d1e65cdbb367121ef7dfe309065aaa23e3fa3e927806b052c618400000007498d33e08d2c6c48313b2afa958e76661c0f381edba0aaf2d25c1351c5afd9ce7bc42b0da8c8393afbab4e14170d45875ac7b0f03754320a3647ccf1bcb92d2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000a1165737187e73fca3a9920c501bb8d8d024ba5260a23b758fa56fae6718c3a5000000000e800000000200002000000014fef23d6ccb54605796e920d450160be417e8c4c363150a480bea4dee1397f9a0010000661d6c3ca30bded97e62f610f2f9e60b13a85c5f0d65278b8b84d3748abfa9890f8c48a3ecf31c660ec811b31489bff533e2623efe2aa45898021adda8f2366af6d72059bb11e7dd1ea288c111347a9e64184f3285370a71237c1876ae55f46db6041a608e6f166dc4b7260b557590731bbb0b8a51482384694fba408c29f030765e6e52613675d9e029557f88f2954c02b1957919c6d1bb2c04402d2f0c953eee78de6f91584cd7e287a22871573d954dfde5f76081dd7b6321b67c0559d71df2a1483760295bbaca81228a287bf2bd366f953aa4627fed2ad3e8c1bde5aa901424d06a95d1b1fdf5919fa21388ff36ecc61badf40e97226d67cd8a5ab20b6147203b39ebcebc26e5fe74b6c14444b735eb7966cd6270def32ea40c98b5b60cbac68efedc449526abc181ed2b5478c7c29c6027dd78431fefa6f63b5dd89e681cd1b22948181f545ec82031dd57a0463cc3ca758731756de768d998a676c0ee7273cf27a579fa738014632dc69af9b128dff9b323a981c04ad641456544663e079b68f706470de517337aa62c1ef7f458d1dbc5f6e035c4005dccb5df6157e340000000d04d9cf0f12731082a492b56b72fea48e938c4eada8f1f0a7bbd52296b50b846e0d0295c87c9c4670ab7fa45a837352563176f593b18120e967fc7954ab34cdb	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E96F821-8B5E-11EF-9630-523A95B0E536} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000007ba81c36c5ba7e8b59646057796b442e0c6e33ccf40c4d27b8b3f1d82a5c1d63000000000e80000000020000200000008efd6f3a41135622635d13ac188ca327049b4e8494f2b85f69fc7a70d8f20f60a00100000e1eee2cb89ea48ca2bf6a48d4598ae3fec6c96f4b9296b7c7878500c3f7ee5b4beac76cb21f0fd655fbc8ce967b7cf6045e9d4b60b1da4851ecd03009b90e993195d89dafba0d4558b9aee87020ae9880d6340878d5f39c806185e4791cf2f16668aa75d81de525464c50df7e60f14c6bcb063fb5745c91f2a8094e49a95386b84cd650a0a2027d230f724b120651839507774f304cce024f001e1d5b9ae89e05d1c049a99f96c28515f91c9aa6e7b9a5bb47fd27caa3ef205ce2bf013a8823d90937a7a87ab07a1e53cfa113a27cfba16dbac3a5fb9eab68d12b227263e1582795e053d2877fbf196fb2a3dd2e982cfc26d36b1f6851412f2f36ffb7f2eb512aeac0c9b0441076d3e7cdf0a85a2911d11a28d53b1a316477fd815642175fb58ed7d785758569ea193662d1e8c1079eca183c63169fdf7e1b374f69d4c7ecd0c8c4499d329d6a0b663b4d3cb2462d784e26f6e939d4b2ddaca71b240e73bc16ae2681a13fcff17dd3ff24ea49761d2baab290c459fa0570ebcdbec36d6607f5bd5dff9d81da2003d07a5905c45b9932451dbe1f7eb78d3cbee0dc5159dc6fc340000000670d9f5af6288d54b3e94193da952d7063d7885435208d58fa526f1155f491b9f2974ed91590f83b71688904ee33f90920f401636c13e1dec2658713bc62aaa3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000041893635c98afcbd2fe144de4857d209badcbc766863035938a7c8eeea6966f1000000000e8000000002000020000000f64450872974ab98b3634865f0902b079821bb4cc25bb8e1998a3ce8c978c085a001000021a7693d00d9055118ecf1eabf6566b6a458ceed7f5fa972b4a2c0840719db63a782b6599b7776aa6b84b1eb765ecf990a414b77945ad51218eb3019888485ab5874ac7c1b1f5653cc16fc55e79b5d60c02e49ef5e91d8ca0a94e38a1b2e73f64788ab8cf06445ec390c9b096b2ff2941fcc558ba511ff00cc266c5cbc65082e2857a7006ba869a5abf331e3762c5f05b36ce9fc8317c2c80feb0856d747195e43bb8acf277e019d21b23453152aab69d162d847c0e7beb1f67e2490b56abb1a5771e02aa9a4126a312027338939311e629e2ea441c3f55b972b74c90492dde134a5acdd1f6a75d2be121b06fe629d52fee7818d256c6cefff823a32cce245abe49b68b00cedca234fee3c172e0ae233139c83f463d2a5147b53628c443637fe2bdd94c02c73464948a7bbd1ecfab32babed0e502f24d9a5e9a1ecf3ff903d81b11ef90ca59a759ae9315f48cc061cb82469172a6de09151dbd2e78253d5a74cae2f35c91f98177cd1a8e50fe3ee49acff1bffe22b0c51cb184fd1773e61a1bc223d20255204a341e9b2c0c3c22e36cd27047e2ecb1220dcaa8e59283a8128664000000083616f6a921b906d717f79f1587f18e16f93794c2d0505fd62f72d7bd2fa4b7dbd786093f09be7f4e5a4613eadcbd00370ba1ac9929479874db845581f69261b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000002407913b2264e7311a33f49cf61c847842f6482f4f2978c6c6478f10f24316e5000000000e80000000020000200000008bf05b13c6009d093801f20321ecc44bab637f9007118b9ef0f3b884c322e848900000007aecbd04e50c72f3afd6ff4a32dfcbc2d27d495e6dfb0708702fa413a091777ed697cb24bca342bb5497efd4187806f62a85921fcc3221038962e05cd20a160fb420cb10ca9504fe1aa8af0df39b2ab275aa1d09212359c1ab7b08ac3ef44989e9fbe11f8d03d059d9233fee31c329203760b80eef9d3c7a7def77457726929e719f02e1c9c3e0d569bab022f2e3a6f540000000939e9fb9316c31c30247e0407a383700cce1698f8cc5c2b001a35f46fb00e04a36367ad90db97a06c556bf4f6e63678dd5d3f7d321a68c68a473b9e3a8d0d630	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435204238"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000007a086dab39d79780d5c0e0878a74b391f47879782e0f0cf000ee88ccc33e6fd3000000000e800000000200002000000057128422710f2111c1588ba1bfb270498d652d63ca6aa2de4a8b466ca92ff6d9a0010000c2cf11d76250e3c3eeb0ee02566a956934bf627ec25b95ed2be81b288aec1f7ece44b854a15cec28cc4cfbbbf002cc067fbfe4421f21a9641539a4035d81d74848bec92eea505549b97e397b7c86ed5f27b6b65f72ceb7860fd997af8a2d34875a5401d0b78a28da43aa54b173cf546159d8ccb243ea07cd4c87de543e97ea46bb26153c0812f6682727112f89b03e5f24907d2fdeb5fe6a999680738465aca8096b48556ef9d17d635794cbefba6fa82f0586ef30cec8d49ae6f379b86c61bbf88223955ca7c89ecaf1a597fd6a7b1f86b3febb35964b1b2648d0621cd86b5a1e637d7dfec2937fcd6d19867ec9213f8cb0166d8e0468b3c45829ef2266cccbe156c62a148dfddc7384ba85c5390e0308f32299a76597c3fe381287017132fd15d1b83ae95d680b301068dec9d2fad2a2aa8aa3d31e9e53d06250552a738875b6b079d4a8ec6f1f5ecf53a4ab5d04d19964088bf27c1bb079e4a9cb7a60bd9540864a46cb445f6d582db7aaf6d785535b20424937bbf549eb858cc42e3b1b5fdcccb61652eae0c1d1f964a09bcb91d189811b7c0bd571ba58e1dcd55da4abc34000000005bbd851abe0bd273d6ac7d13cb27f1bb3909e8e05eb5e22e6e93be1784c7e7a247e0c7e089d830a9522e83c966eecc45671f965db1602b0e1db1eeeca22a123	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000ef8605f9b486b5e3e1b686825d24033ba4548efeb166862f6687007fd4c5aaeb000000000e8000000002000020000000e84a7804f36c7d1d8a8abc5d8b8ff4f90a32783e3acdc16052c3e527e441f016a00100003a3a6805870cb4a843a5453545432d42c37deea286a0d5e5f8973ca6827a5f95e8fa12eba78544da0cb5fe0a6a549aa01f13794d3528c73f04cc221f83456b0f1269372e42c0c0362ebc4c8c384ce119519885e394d7c6ab9e1b70d6b1ae8f9200a865f89b6f5da53e76242fdfb7f3d4d0e989e514315f68a2f0dd20cd9e8fc8dc8f0359f1e8bcd83dd6d33c66dd5bd96ac1e1203fc6292d258589a06815e5f638e31b29d13bc3fc0c616ec364656bf5d34d7288ecc4a966bcc7175ab8b1ee5c1335cc528a7b98037fa909c8c9dfede6b5c937c14db378e3725a0fe933bb7a1a316c182cb6f0f900f37bf6aa3b035ea9cf0468edaaba7b309a9460cf2990acc06cee18cb5dcddda0d70e5d7416b0f71a4fa9f54f67c5dbfb6f7fcba351559e19604b6040acbaa40bca88ebac76f2c1be8f873c4d9da8c29b284080419f73d255b4b025f37011a52560b3852ffed708a370e69673bce5020505558ba6ff53710327e6599dd4698a10f7dfff765fe5342d73192f024c15cdc06ddf20ea54439819222c21dd1e206825b9322bbff72df62d01bf54ef902dbb0959a5265f7231b3c0400000002631c53b542e97d88ae6eb0173722abb89aedb8027d2be1c8031cd7bbb4c67684c9224d278e2e4993b7e894321bf4863b2fa2b3c123db1808078c88dbb889f3e	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000109c6025bb439447690048329b1f8eb6553b62f1e10de4cb5d3223263a7dcd8d000000000e800000000200002000000099f7aaf1554cf4693b00f8269705c796379c68ffc413d3b4017cdcdf34c4490da001000036519b29c69ea5ea0f8b1ceba926fa8282b39c79a50d7f3127d98b6e67b2ae9d06abab1d05a155d0595b71a7cc56b05f9b7f53b4ff9d3b3d80421299e4e885ccc0bce33f9639d4fcbc25b1db6155a8caafa55ca39829d4ff7319862a25e2dbf37f3f3fa9e8694ba84a253f16ec973f4078f2d1f200a77b543f0ac58a1715a4173010e2f57dafd8b329c9854c6e703e0483266d2340401796f08fb1787f3109c7477e6451cded8ad5f60dbeecb01640248bdcd81f54f3cee364d4c69568251df4a759dd8be8cf502b7371f3210bc8d43b16ed1cdaaec18f7b6a681b057b515ed2c9af441cdb8c385a204507b2b9f97ad4f0b4eec389ab1ea876c1e49ec162fc8a081f52754b0659a281a88d24dbf1f5c82512af70c750eaecbc5c33493ed69bf2d455003cb607f68ccf55efcc9d6792a4426e5e4a22c094e37d525f6dc40bc30cb4590f7a4323a83e8f45cb223de32b57284b59013c9681dd09486c1b1da672fbdab6ca874fe84cd4e656fb2e6cbc32b9a381fa20ec885bf0f1bbdb0fd4f04bc24ac952c6559588a5926ff1606555c6e156bcaf3edfaf9244eb05b2b3437df14b400000002c1cd9bf851eede7cd3c3abc521fd71cababe449c64b11f1027c5c5a3cac756bc74b1e6f7566a37ca306b43969e51ca083834566d16f140d1a91bcfbe6ddf0bb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50dad8586b1fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000003a2c9dce123efcc8499904d83d4e048aa671ccfc5f9942288231ba7219011b76000000000e80000000020000200000002a420828f34ba3ad9ded48d49c78e6db1bfe6d808e29e1daf9aef5324b321e8aa0010000bd7857f3e6337e527f28043e99f947cda1498bccbe21a38f8046f3770a318448167d61f6b4f7ded3e92f7a4586c41a5f63f5375e51eef63e393ed8657de6a3d536d391e68652915a14ade72dd67c92c8ee827ec2d5a7ea527a1857b913a3d8679895eb803560a967c094284c5cac65be745fa0b47c9b6cae70138b98eea0a1412d3ba0a97bc6bba7c0a7318272f85be883798cdec7c6648ae9e319f0579dfa12091c5aa66ff91494496eb2b856c7b6321f0a88db30828ce861ae412c626a33226834b524d90a9768548450e982b135e7dea945b56628c2e153f8ed64792f29a9d8ef8657704129e83aff6eb79fdd929846585f5fbc6fee33f03a47a773db35797f9d7ef2fb287a3cdd058253d8b5a6f8ce1df9d6eb1c196160dca33beadd61d7ddfae2b0f753babf9f43b2247e08925db7307b3b1aef41cce42b23e1a502660b22dca485dba688ab001580e1830a13ed9ebe6822994a6d37a62777f31afbcc7e0c22f3cd31b06a7cd9aede6e1d288631a8d0655e1715bf613e96a3ac16bdb952c61834e50a41c99b2c2b6e2064fafce5fb822fd2451f22c7c4ea66b6ef5d5c0540000000bd2829ac96f6f15fab869c07dec5873d8a726aabc8eeded88147f45a329d8c46028d7daa36989d93dbf8f5c4c70fd5b1b2203f2064657d356cba881a563a5c6d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000054c7641fb0c41f5e500740fd26050a3d4f68067098659d3b833c02a2c260eb87000000000e8000000002000020000000802ed50e6811545bb3cbe420aeeada8d347778d4487aefd3725316ef43a290e9a00100009f1f8827cdcf9931ec270f48526c0f383a3d61d4f9ab43cb31be48b2b6f846b5b8298f59b64ab01493624819f403e3a6f0a3e9bb6d7041be21af9c499471ffda65c2c5aac614ac90753e082e4515d77107eb9ed139125d54d90fb2394928cc65db650455b7f03cedf7f8d6a11d6571fae2e5e3027f594539b1bb868be17fb63caeb70ee61d185aa4f9307ed351bbc33211be79c086f6b98e40956d638f31ac5952ab953197bec2089d68f542e508d3d195e214e3b299b5a723981cec48146b1fdc0855f7635081a2ba4bbfa77dce514cc4484a878bbb60c272323fac1d73ee30d6401be248fae75e831a79fdac5cddb6faeec418340c59a1a8fe32dae49146dad2e7324f98585aba304ea4fa3cf5af3a5c00f812775a70db19f2221b70c2e8f9c4163955d8aa621fcdc068bb31a0a10cae7e1232ad6433016b98497dc9008d787edc1204b3dec95eab2b9ea29e9caf241b6021a9b875f0a8b1aa4fd1829273abef71476f6eac6c739a1e46cbe5f99cfdcb8de89b309f92d4bb475a5a1ff7304d4933b2e36f9e9fdb55087ff72a161165bb6d48e8dacb479ce375315a90911cd94000000073210ab1637c257e244097cbe60af3df3afcdbfd43ad6a9d883a91c8bcb15942f1e2ca5138f97cebf4f4e0ce450f2183b0b7ab20690986ee4fbbac240124227d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000ca1c294a188492ca81e7c4a3c967b3d34ddf59804d4e4ac20c890df6223bde6f000000000e800000000200002000000006f4285d3f2234491a7c914d74e57a32d51d99227ed120ef0f67d550c6d0dedba001000055747ae40a08e762e78a63c3dd67e5be7fb53886cfa2bd9bfb9bb8d26fac0c2712594be798a0ea491ececbd8c8131830762e857eb313b6c7723a0e8a462f118b67478ac6f8aa4bab386660c087151b138e991b1973224c32136c608e7aecf4bcc2d1555ee2558327f99850a3f7fa1906758e0c141301c8d7625a821dc79e26eceee880286619a2c27ba70db0dca5151202f0190b38c65932e63e6580906ac2e4acf252fa0bb44b2bb896ca793a44ffeaf2f5605206b5e2f27fd5fc871d14ed9c018461104719cbeb88b1195b9ec6c87adc25cfe04187e1c46174ccf1db6c309adb69276142b95529f2dbfd8ae76bec8c4f91822e17e82a46d8df4319df549274a7dc395e0b970bf6baf6f3b1cefd25564cf52f13995c09cde16c2bef6f8c1a3fcba865c5369b7ac1728174c140cd4506b8425cea3f399b2b6940f22fd85a6199dea53bf1fc53ea1e5b33dacfc8a4fb33682e4c7c2c751d4ddf7f928ec8b48749d09640333d7f301c94e3f4225257616e2ed8e2dfbcd3f1b0d3ba9f0290feaf64d8d5d678dde891644c0918186d8679ae446bd632b20314edc5f2f8c21346c75140000000fad5d61d3075767ff3073dc45641d2ccbeddf09d4a9155c61e08691cfff016afc9c153b4cbfec3847ebd14af29a9ddd4ef800a84b8641dd01e60a0a631df6106	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000002861613e46b9054f7de12c790f69fa6593fd871eb72c20aac822b77834f1a8cf000000000e80000000020000200000007aac267d1bc4acb9e302483431d7490455d0c7db880f80bca546edee526486eea0010000e57672e5f51f779d81d442a9946846adb9b1a8c0bbc621ccc915e8b5dfb407632febd6504204ac9c4bba871a0081322eaabd6bfd4de81f381c884bc3085d3423f55cdc60a2e97efa68171d989751e05df633051798cb164fa367bce01b52769bc8492c3ffb80f3ebfdd09d8abd453aa3957f5c1f50b5a2a6e78a6bd38240763db1b6a7cd0c954d91d1e1368b9754d2821160d092313216f03c50d382ad959a0110592ab8eb529c1fe0b04f6d2059efa2036a5ef262ab4b4bc1a0d4511befdb26c40b786de04105d08b7b18136888bd13e7b7879d69e9caf85916757363d435ab5f1a7e67a3c39fc25e54cb5ff081c1dbd7f0cb3083c577a0e3a0710e785ac8fd865b2afdf376a6c014f06f3e6715925f39455d336c3a0e2be983de4a3912a7cf4b76d258aff0a7cbb19f963659322b0cf312d9ab2cc74ce942cc8e11f4e2be5b4611ddadbd0762a89416c5d5c880dd202a6119d9d35376b5718e49bf79867e4f86c3c0f80f0fd5fd7dcbfd8308f1237cb162a73bd413e50372e3650370f9476857b26e544f7ee2471f0dcb115ef9788e150009689c551de0a7f800c21756f85140000000566fa58dc8263d4f05bef07956a67b20997da1ad7f8985f02a1922692eec84451e8671f277c604f243ddef25092e31152a4c503601d81c15ff533aebb5126fc4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000067630cd4044c8254a940889a311f81d956bfe591ced0e4192f8337d7c1c645c3000000000e800000000200002000000041aceb1edb8ce37265df3d76a36657d2dacdbba8e9c5c6bb009781d132eb5039a00100004008e01f79f5ff88d36075aee37bfd3adfb5e78368a73a8e1901575aded4750a42604089f69a5d5ebb2447dbdcc10dc0223b2546d8a8d01eaf453a419b5e03316fff5264d92e18a412b6c70d6670e619a81464452e1d9197c45b3dcfd21834de098e8deff69c6ea2fd686e01a36d658c4f8c387bad57309cd913f498932239abb6c420124a21a84426604fc259fbb2e1d75e771de8117d89bdc75440aab0043272c2972a33687e19ce983dabdf5f66347c9c6b1b566043d5a7a903895ab9d1d0b59e32e5875b591c09f5c7117fa61792af42d2009ecabd6205d11118b670d8b0b18799a2261af4a8147610fffe91b0de57bafd94ea522400e065f7f929c0b6e5e316cb6ce9f8bb8381ee8930190524a4ba99e985424fe9b42f8d88eb4bff963daaac9d6ce4cd26e0cc1f3c775e8d539d135513acf1514f66c6c71cfc16a512b948d861366f04284d6699de34516357877ab468f18d4a4f7ed07bdb032fd3deaee8d4e292cdb11cb80096b0bdd34e3ae84c54dda8cccdfcd6822bd3f7e9f68837c6e8f11e472e8453d95aaf2ce97b408badcfbbdf38dc633d0b53d4861afc142840000000d52cf4be268948c5f7bc4588202820623d71e97f12c82282f8f71fa4582f2cbb82bd7f5cd25e8f338d92692804cf4b031cb8ac222a54fa82fe73c6f6f3eff399	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000008853f6f4257f1e6cfeaf7e6493baf0f142d195ae70af166a8b81f933f55175b3000000000e80000000020000200000000a8b2cf612705a363556b3467aa4ef26bdaca0115cbece418d0c56ced42a0beba0010000b3f92858ccf86e3e03349c1ef66d0d4b6ccdf7217d5eb836ebe93e21423c2479fe4698a5fa1b55644bbc6b21c379f7e59f195aea748e85ac784a58215f329543623ee09191b5fc7c8495c3dba60f710408c0d26806f191e8a3eae981beee015a6e75a9b63c26c27ac1486cefe60edd7a266810f1180a52c99ad34390096a362f28a1150db79a62251a8352c3cc0c8bd1dc6ecc465099423e90daf49e083cf23208ca8b4b7002fe023b0589a3274fa02f69af344d51188ee6d54967dab95a94491fc8818fcbe91cfec6fe2fe9e89cf198adbaebbf4ba0f8e800162b9e3e8c90d75fcf323c2638838cbdfe7d0f83273186f280ff2d91a699aea1acd869debb5e127ef5bfef68f0912e6df3e6d7bcffadc007908d3e915d54f45a2a4ffbe4836a1a743e6c06baeaa37d2e748781914db27ffab0741b2bce9b4fcc101b67cc68addeeb2fc009a9da432bbfb45da6b61c0c9ee0efdf02c5b1146cd7206e64d50c59608e97643cdcde2efe52449e8d46f95d170d0f00c7a804fa25d2df3c2843a412ea053ff76b683db40fdd31472fde1f8e9b94a677e5e4c22cffc715fd6f07db2bc340000000e7aa20c877a138033f1bac56054c1a477f9ea5df9c40fad1653d8cefccabbf518f291ffd7fbb98ab580ece5116557b2fe0cacc3e41407e9d434da661c518e54f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000245f78d1d03416dd8bfa893389642047ffa669686723c290fa534587e7236d85000000000e800000000200002000000011bc5b8de2bc8cd9e21eaeb47d798e5ee6befa917a3b0c3b0d83d4135b044a87a0010000876d1c2a1720d7e78f3598a730899267369cbbdef53d97b39582de40f273330758560221ebdf5250d4930a4be31894502a746ac2709a751e251f22da79117becf34a59e94c4c0d99bb68dc6a29f6e98718d61350b659acbab104220917674769cb852147d5c189b46bff6e22367fef31d08aa484b41fa0d0db704c823f6417c1174939f2bef5de6489b3bc155fafb51eb00fb4536a3dafcc3bc5bd0061fc9c53f7b07e9f0ca031d9f922a0d2ade14d5c568d27352cbcc83fffa0164bbe522ade0c9a98720f001f7ecf99c5fa98c5d0fa7828a74ad9ad52ba51eaabde10a323bfeb7ee90cf11597d4c5a1d18c71af25ebe74b0e436550401646bed850557fa4178a92b22bebd70bf6329a7a3d48e777f3d15a0249f37eec3b39da68699738ed462b65264df7c924aa10b544ed3dede9084bb05ace35eabfbd8609d4bc73832669c550e296d1429f8e62863e16702953bbee7e933cdf6fe0f75e4d0bf332f752295ec51947cab85c3dd2871c4a680d782018f676bce381a38dc6c2fab864e87af289e50a309f36218bdcf5b446bcd4e77f388f8df2cda86f94da8cfbcb012791d240000000f023f19c77782c2608bb795b9cc1fccfe5cfca76c16c8bb9b9a7d233d3485374967739337b65eb0e1489938a313ebd6c695eeb0cfee25f200193db7280cc25ee	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000085b12d515a20eeca5fa4435ea6416849145c6706eaff423a06b3a871e4d2ce86000000000e8000000002000020000000922c2fbcbc4456883ab0f11b939364ee764f4315611f05f9a42c2a4a34711bb3a00100003ada21451ed6d6977f30fb20e36f5cd9bcbe3f715e2a1e7d87b0a9647ab8cd2853ff4452c8cbe923b1a278885999b709efb2be3c78e767a0797dc200e4d8dd7f97d2b34d7f6ca9cb1507a8739695c8d752b673621fbb1f94507ac8a0d336b35f0815938033c395a699490e1cbe6a17b2e1c3f3f9b415575df0d17a14968b9f95a41d75edeca3e942c33c8c69920ed2900f6093243627c4821977e001ffe42069f9f23bad05a5df4bd5d7ee2d159441a220a3b8e7e6f9c62acbb3b3107b58563e7c0540385b90f7cb6027c2f1d7dd6944b42cf8213b7247ae9dea010d08fe087811571246d0521ea83f1ccfb600b6a697bd5c7295fb3ea632f401bdfc6da8f8f4ae207e307ec964efdd5567c7e5956b094c60ea95dab63a536d7d0abeb843f390e2dcf651af5bec2c4e69d8f6ff8bf0f49af5094cda462368e0fd9f5f3e9d0691ce6fc18c82869a27259d20e0d1b48c5c2f6f0654b42a2d4b197b8bce50b62d029e2458bf994c2d7eba5a70f7dc7b65bc6fa5160345ffa3b598152f1d0631e5db621de25f9917f91f06b4d6acea141961f3accca705ff628f9dd7bf4c335a773940000000e0f7ac6782e6e0ac01046762d537ddf39ebcba13f982be47b68be8f679dd251f0c11eeebd585ca1d3f60c1a1fa3689591567be52abfec0d17295a10b70269aa1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000003b21d9146eeaac1628d728b8f0bcc9efb76e433beb0ca30c5e7b8ccb1e691f2b000000000e8000000002000020000000b01f5fb6a2ba7d335b07e7e8dc76bb79f79c1d8536de3edfee00affc315d87a5a0010000a1cf5f4aeb5a6e0f00c131458bd916446acfa16b5e6916948dd6916463324c0ce66aa4c56d49757b1baa6b9a8527440d3fb508c637639c0a51d449815657e9f680f1063f5d44dc972c7d4b3e3d5d816e01701b284b3b38a87714e68fd08c0d7ed73cc4d59f858863b64b2bb526c5f5251b8881590e3fc7326ec6c99a8926c7d8f48205e45d6ee338a819087275d74472f0325501c2f24f03c9843617becc2695e68ae172dad5ba3b88f8e8cf65038a7fa31bc0ac799408a2872c2d61577cec6051e7c14d1dbb9a32678c4b7d60f268fe6d9f37004254fbb5a3785e59a8f9baa024605b5313a6da31e6e4aedcbdc27a2158fc2c74116e76da9dd14b7c5a1959ffa2f17951b3cddc71ae98b64167645d668a0b2c0c40e358d0563be25248a20409bc01c36532e309ee086a5d6be48f745a5f7b4d6f31c4c1140027484a2dbb7eaac73992e9b595e3f2d588a336e3032520c54a29c532e461fd5d7e21e8f0a8ad13bd1fd6cc56404a704318b13292f278386ca0f2340057a2b62b67043faf026fe73ca9c28bdd471608fa3b91dd916fea5cafa83e8fd3b9d67a291f6dafcd8a674440000000fab4fa60b28fe76f924c35b2b9e1f2bc391224683d390b4cfc2aa81e93512f40df18b944688c0ac54489604b2b3dbe196e684f98ad7780c1e2242f25f23e7e86	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2672	iexplore.exe
1664	WIFIGUARD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeSecurityPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeBackupPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeRestorePrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeShutdownPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeDebugPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeUndockPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: 33	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: 34	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: 35	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2828	msdcsc.exe
Token: SeSecurityPrivilege	2828	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2828	msdcsc.exe
Token: SeLoadDriverPrivilege	2828	msdcsc.exe
Token: SeSystemProfilePrivilege	2828	msdcsc.exe
Token: SeSystemtimePrivilege	2828	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2828	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2828	msdcsc.exe
Token: SeCreatePagefilePrivilege	2828	msdcsc.exe
Token: SeBackupPrivilege	2828	msdcsc.exe
Token: SeRestorePrivilege	2828	msdcsc.exe
Token: SeShutdownPrivilege	2828	msdcsc.exe
Token: SeDebugPrivilege	2828	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2828	msdcsc.exe
Token: SeChangeNotifyPrivilege	2828	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2828	msdcsc.exe
Token: SeUndockPrivilege	2828	msdcsc.exe
Token: SeManageVolumePrivilege	2828	msdcsc.exe
Token: SeImpersonatePrivilege	2828	msdcsc.exe
Token: SeCreateGlobalPrivilege	2828	msdcsc.exe
Token: 33	2828	msdcsc.exe
Token: 34	2828	msdcsc.exe
Token: 35	2828	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2672	iexplore.exe
Token: SeSecurityPrivilege	2672	iexplore.exe
Token: SeTakeOwnershipPrivilege	2672	iexplore.exe
Token: SeLoadDriverPrivilege	2672	iexplore.exe
Token: SeSystemProfilePrivilege	2672	iexplore.exe
Token: SeSystemtimePrivilege	2672	iexplore.exe
Token: SeProfSingleProcessPrivilege	2672	iexplore.exe
Token: SeIncBasePriorityPrivilege	2672	iexplore.exe
Token: SeCreatePagefilePrivilege	2672	iexplore.exe
Token: SeBackupPrivilege	2672	iexplore.exe
Token: SeRestorePrivilege	2672	iexplore.exe
Token: SeShutdownPrivilege	2672	iexplore.exe
Token: SeDebugPrivilege	2672	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2672	iexplore.exe
Token: SeChangeNotifyPrivilege	2672	iexplore.exe
Token: SeRemoteShutdownPrivilege	2672	iexplore.exe
Token: SeUndockPrivilege	2672	iexplore.exe
Token: SeManageVolumePrivilege	2672	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2876	iexplore.exe

Suspicious use of SetWindowsHookEx 63 IoCs

pid	Process
2672	iexplore.exe
2876	iexplore.exe
2876	iexplore.exe
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
2284	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE
1368	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1664	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	30
PID 1904 wrote to memory of 1664	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	30
PID 1904 wrote to memory of 1664	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	30
PID 1904 wrote to memory of 1664	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	30
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2716	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	31
PID 1904 wrote to memory of 2828	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	32
PID 1904 wrote to memory of 2828	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	32
PID 1904 wrote to memory of 2828	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	32
PID 1904 wrote to memory of 2828	1904	4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2672	2828	msdcsc.exe	33
PID 2828 wrote to memory of 2672	2828	msdcsc.exe	33
PID 2828 wrote to memory of 2672	2828	msdcsc.exe	33
PID 2828 wrote to memory of 2672	2828	msdcsc.exe	33
PID 2828 wrote to memory of 2672	2828	msdcsc.exe	33
PID 2828 wrote to memory of 2672	2828	msdcsc.exe	33
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 2672 wrote to memory of 2776	2672	iexplore.exe	34
PID 1664 wrote to memory of 2876	1664	WIFIGUARD.EXE	35
PID 1664 wrote to memory of 2876	1664	WIFIGUARD.EXE	35
PID 1664 wrote to memory of 2876	1664	WIFIGUARD.EXE	35
PID 2876 wrote to memory of 2884	2876	iexplore.exe	36
PID 2876 wrote to memory of 2884	2876	iexplore.exe	36
PID 2876 wrote to memory of 2884	2876	iexplore.exe	36
PID 2876 wrote to memory of 2884	2876	iexplore.exe	36
PID 2876 wrote to memory of 1320	2876	iexplore.exe	39
PID 2876 wrote to memory of 1320	2876	iexplore.exe	39

C:\Users\Admin\AppData\Local\Temp\4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4ad69c1a5f6459baf6fb722edf533f49_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\WIFIGUARD.EXE
  "C:\Users\Admin\AppData\Local\Temp\WIFIGUARD.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.softperfect.com/products/wifiguard/?from=auto
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2884
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:209932 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1320
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:930831 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2696
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:472082 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1584
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:537635 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2284
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:209973 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2924
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:2503715 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1148
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:2438186 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1424
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:2438212 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2796
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:2176057 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1368
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:1848408 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2128
- C:\Windows\SysWOW64\notepad.exe
  notepad
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
  "C:\Windows\system32\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
    3⤵
    - Modifies firewall policy service
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DF3B10AC058C0D6973F46A2636A375DF

Filesize
345B

MD5
6088379b4589a6969fc196536e9ac011

SHA1
a32627866ffc7f8d40362f5b00984b4b4b0dca3b

SHA256
58560f53c5dc55498c7e5f236aeaaa4b345660f7be85b86815ddd32b2e1c6d81

SHA512
5ecff8dfa26dea3ecd3b22ffa3b8c1f55cbba63513aa52f8b8ed6152623a00a5e3f7cdb4f2dc1863c6624e0f29f8dc7bcff76609c9c4c9f41e32823e023d3367

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
c31b3b0b3aa9da0ddb64a4b7912be7d3

SHA1
c234de26b1fd259e8ba2588793c963337146c52f

SHA256
0ccb0829ab7c671c7c497b4f4efc7f8645279e0689438b7ff7b92e65ceed7e98

SHA512
244942f2df88f024044b1c71512666c49155a5f68aecd066e3e87a68635bc43c0592cd16d2d6929af502b8f3f914c091ae218be25132df82e9ea0622e2328196

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
de98a9c6a694af5e2247a17380edb431

SHA1
66db4c112e18d868544b2463ea8019bf35391abd

SHA256
22d4dca4abdef055d180ed6ca0b0bd0852c011a6612764ad17939acce14a6d68

SHA512
ba683988ca313b042fa4bf178e0f734a4669ebefbe6ae0c7a5f58be3b6f55e268045281de17a4aa9dee2f1edc50fc28d86b7a9d09ebe9be00d1efd081c8e62cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e4144633889a85e1a0feb0a0bd1b75b

SHA1
ae0b014c5793dd7ad32457a54ead4d834de983c1

SHA256
1e21c63e2f930e62d7403ffc73d34856cd7a4b15791384a7960be982ea22e637

SHA512
0eacf86dea6ff4a4ba0683ae6756a7016e797c41976f564ae8ec1c6ed94c0edfffd7114659e32d2b5ea12b539ee4e2f498c7a75964887673c8eacd9e980dd6e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ebbefdab009813b5de537efc16deb69

SHA1
e2adca0d3a509708a65ca971b04b42ea0f74ec87

SHA256
63f58bdd697a39c34264489f306dc42b5410663e64222aa0fc20e5e30d6b142a

SHA512
869a629e26ee2c9acd357ac6d65a9f4127adca9d8ab047bebe9c1dd32650e89ec17cc757a16b373ca88c3619d5b6bf932c27a0a6e076d2aff1fde6fcbbd78320

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d85e2b42bd3fe8c41cce60f26683e132

SHA1
ad4e15193be491b7293c878c3ec2aac6756a423f

SHA256
99b99d0c0668221f2fc5212899b2b064ab737995d4a2f0bcc4793ee1b1cf983c

SHA512
f25e66423d54bfa019e42881e8cbe35ea7246241f84e6ba1536e85d65619c85fb6e3330a08e66c64166c76bc25ad63a06fb02e9ea22bd9e8556ae850957da086

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de720df0785d5fd008af46516295960f

SHA1
c7319aea21d920421c66995c4ab3248f922587c2

SHA256
5df0cc709a0342c2de03a75990e9a5cd748bcdc29f2ce5814c52c8956f432cf1

SHA512
06256ec539579e46c30662b02f8eeefd6cfe6d5842be0e0fd76684f49f1dfd065541c5f281a06f3b9b8e7bcc3b5ad77325b2d757df2e0fed442098abbc69cb32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b02d30405a86f2abe4039ff9c284d0c

SHA1
96cb7290cee8940ea29f75eaf8400a1ecfd15a07

SHA256
db4e478f323774270eb82ebb9efc64b026b51198a1aff763f1158101bd699c7d

SHA512
40a68b5fe6bd63774610875e144d7fb6e47275189e8633b9322a15f8c14ec17cb270625387b702fe56bd4e8550b7cce3c9fc79d87cea4bacd3d125fded1fcd20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bfe899553fb24b035074144e7409f9c

SHA1
03955954eb482522366a2500c303351ab27468ab

SHA256
eb0d2953e5370e8252d06c6b82d65a3bc7c7717861ca398310c5169f6a0e21b3

SHA512
72a6ae1d4460f9468ff8e404e26da0bb82868feb4d639f7170a561f77cf11c7bd2cf3bff83e84b8ba30f0305ff1d15b846e89eb46fe33d600be9c6c03d46a9e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee4efc914e2cd907fc55b2886ade96db

SHA1
ef34e83113cfdecc8b0a66d0daf218950bc008a0

SHA256
ffd88f9287d7bb7fe71941e131c2d835cbee71dbbb332ebb93809bb4e2376338

SHA512
b0effc293ea4c1cc3041d7fd3e637370b87d42b23ab39fa81310fd0d4bb4682713ea1ed3f73e4ca9ea7eca8354f6cb9536be58c42fa55146e6d3e9e337eef163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7aac356c1b56f97e8dc92a59090395e5

SHA1
3be1852f2b6443b6d6cdd7d15c116a91a73600cd

SHA256
2b038b2ff108f049cc969b319917a8d84c44f8bb00242512227019e159d3ec9e

SHA512
e59d7e7a40b22630e3bf8b0c82155753dec9c6ef928691145a4374184816f1d2952331f37354e36fdc5b8e7ca232371a52f903931f76aab24d59deb259cfcadc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b29fc93d44ed5f3f48d3451281f7f387

SHA1
924d519d973a6899ae0f8a28ab770df4c54833c3

SHA256
fa09aeae5c56ac91703e9fe83e7f53edd8f6c13e99630c326761e52104397abc

SHA512
7a17e98dd35a9616250b7cc01ec994de1cb2c43ab6aca70a3a4cc021cff158ab21dbda201388531830d22faa21d06021bd0fc4d8c4c909279ba8cbaaa3928efd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67afb5f4fec43e70ad29e9498aa3eb7a

SHA1
e5159e3c32fb4a7e649cc6b6db42f718e3908435

SHA256
a9a9db96d380d8b480bba7b92f7ec17442cf8a05e007f0afc9b5757ad68ab175

SHA512
5742e3f0109cd2002f70c107664232c56af02dc7e8a8a8bebc50a07d0393825cccccc94b90eed94cacd7f3872226437a2585d985cc12d5ad03fb7cb9251d3ba6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
329b37a92d8454ed73c5e879714722e0

SHA1
9ca341507156eda045c6608ffff237995f21a1ae

SHA256
2cd235f8cbafcae5762e2ab3cfeac773f67f9225cc02b622e42fc618177a55cf

SHA512
9124905982d7e07e93d07d1f4c34ea8d8bdc23ee66ab3bb5ebddf845807f11315e8deb51baec6d949f2bcf1cd79143e650fd9eee0389cddea209caf3a6f22b99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e77c2f60313054a96622db9382f7255

SHA1
04379eea0599c82b53a6eb780d23687d26f54df8

SHA256
c35ceae8c8c19f0ac2a7d306493b9e33fd8106d73aba64fe196f25e7cca2c0a8

SHA512
70059b9eb8948d281c8e68258ebcd9a3522caeeac6e47f2dd53e82ce7f190371a031cf8ea32859bc350b139810c151dea97d64e87e769c40496386ec249e5084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3b6e09873f8dc0c8b0d39d7bd33bf3b

SHA1
635ffd103584f3d91abcde32a02fdb3b136fe566

SHA256
b312ea4fbf18b7d8e34662cad864c046e135b8e535bee773bc74f0dc7211d6ea

SHA512
8df8d8ff7ece898243e3726c0e7078ae24ee5ba8ebfe885e51132fd27decf6f61b20492fcd2a42197c65073e34300c3a65ff4c0765dcc1b6ff26b0e0d66de567

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd8827d658ee7e8f64f8a7371441d465

SHA1
0ed013cf669c63bb208f1c4cf004dbe155ded180

SHA256
5ea44b593cface7a904e628efe316bdd137c07f08d1c1635775374d795b4c3c1

SHA512
3f28e86b3d311ef6739bfd612f733eeb29bac91e02ab6f9259dfd9d3b20bc6929e6d640de05d58cb2f0f16198405388cac4e970878c57d2cc74ac9acfacee5cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f06140104b886301e60dcb3244e9254f

SHA1
44b3f65aa766bc3a928410d74808d9d4948286af

SHA256
14065c5d71a5b0587cbd043b4aa45146774bfcdafd20e522ab4c2ddb1099309c

SHA512
55b06457e37567a61df7667503522ff5badab459d9225acecd47ef0278cccd53b9076519ad3fb6b0ea2cb1f397dea36cc6e1790fd3e9e189a5152c343062c6f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7f5eba377c573c7bd24c900df5e60ad

SHA1
23e6eaf8f2447cf0d31297b5bcfda1ce0066e443

SHA256
077b519c3d3387853046e6d903ffa9628cb14bba1415caa607fcdac22151758d

SHA512
66a94daeabde1bb4ea53cced235a02ab63d2fb1d4781434ce6b3ad1ea979d89bf61ea86be9911278a813479e276726ada4e7ec4f21ebdb4bc8ee0d9658c280b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8554fc0e92e224e33fae067c213a21ca

SHA1
21fe439b96c29fff8a3cd5e2531262c4c2d3b3e6

SHA256
a886c9b5731fdf8712c1e8d0065309636b99bc995f43a73de103929e7e4a466d

SHA512
d7289e962b5445e0fcb045789e7bfc9dc68038296e449ad6454ad18db1eafa86dd73acaa526398e75c9283ee806687045244d3ccd3394a019dc187e169ba68aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68b2014d7555475c1f79fb70752a7514

SHA1
9a6f29e2d0a9f74460b78cb221106d350eb02944

SHA256
2fa20c2557db7318e3789c73b133a50c934ddf08dc2794e40bbd50825f1efced

SHA512
1f0129a9f724adc1b506f5e54e5d659410c37c1317fdc3033dfdee932bf64c08eee5f703eb5b43b99aa592cd719e6500abbb7119d6dba1bd220bda0d0bd7d693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76f83b9d5ccea4dfcba1ad3e890b8aa0

SHA1
2980e8e863aa13e0ddd6692a02e91070af71f867

SHA256
4a683a87b3717d731a429630b61b10d8c8b8a2dd40bbeacc7e76bcfcf48fb1c1

SHA512
0a1ef58394138a1e0349cc2245ea6a25d937b76e1914a479f17af00853dcf4685386d2990738c48fd12c628c7d6cceb65eca51285a63979da13766b91784b289

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b23428a1a43cc8a62cf9f5f85c7f7737

SHA1
17f11e5a05a36981c89e5d720cafc54f5a24f402

SHA256
ee8ee668f690a216eaeecb5eaa98247f40253f921f5544706d7ae6b6bdf3f20d

SHA512
b152c5bdcda53584182b8f96cf7823a8bc9684c847bf44bc52c5f1c8dbac3e5e285bc1f52d00d7190ced94534c37e4b33505aa7aaa212990aef68949a67219d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c2458fafe005f7022b44a1974d90e83

SHA1
28baeaf37940591509ea7809d2d236d3ee2d4b29

SHA256
1a2435fb6142d83095b1ecc258fd58453878de6f802f48ca8a214c0d9e8fe747

SHA512
3086fcff7bb553499ebaf58be6f70f8d094cf5bc6cd80615fdf5e9f344c098c81c4ccb3051cdbe969214da35b9c63f44d3817043c6499421d834f037d2523b58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ac3e4ff0b52b6f2303fd5956d556757

SHA1
1197efba1366e44e934996c8d40ff0955a4953a6

SHA256
e3b8663ce92e33065eea026ee7aee288763e9c626a85485ca5ca683f27a5d692

SHA512
52c78f521b90b7f152a17849a7b1f1c5d235c98d26c4cb42151ebf480973ec5841d025ab5996087f9c58f3107ba118ecd8c8a566749162a603f4e625e4a8ccde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DF3B10AC058C0D6973F46A2636A375DF

Filesize
540B

MD5
5fbad8ba67a70f385ced7fc9e2e41efb

SHA1
f87ea9c4aeee2a94acd67f9510688bf461725c10

SHA256
52cbe9e3b615524085389971763d1e717ddcca4a5ce9108b22dc999b477c0a8b

SHA512
f1e6931e941c12282a53ef54c30e4ec66eb52cc97b2029d7089b22e0f0292e9debd586aee644c654c095ccf036b82f545925f746bd009f48de245e4a0c385b09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f6bcddd5698a14115908cc0fbf228b37

SHA1
3e55082828eb60d4fb1dba5c47a92840e32e2289

SHA256
f379f8adce0791ca5ab8d00e3b70d668ab439b51532fcc05c0a1b0a17b818273

SHA512
3dd8ca836f3d33d9c5b35c358e281844322b700eeb59687e9d248e961254983202fcc892bde43faaa034eecf4c0c47388a1fe97782f6cd2f083ea058f11e0615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\e1ur8h2\imagestore.dat

Filesize
63KB

MD5
18f2c67489f72d6f2159f8ffb36dc7bf

SHA1
fbced26c64a31fb22763d1c26527b546b756e9fd

SHA256
62651a42900090ff0561410faf42b7a85aaca956e6857af8481a7c69623fe47d

SHA512
7e92b7ca4058fdce75665a3dfc3fbbe6f3ca87ff70bc31e71fbd42d4b54d8a98b9b82b345aeed43c0e82223f196c7576715ac7bc96776e5de829adee4b36530a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\css-dk[1].css

Filesize
4KB

MD5
5eb58e36f226ed5ac0b39fe8bf3a5bf8

SHA1
8be9fefc4833935172c0449782e2158e0d465634

SHA256
a7b7444c08e658d57c96145ab1ce75fe7081e37225240a6b2d922fbe4bfccbd8

SHA512
eade66783d7a52458bea1c57111c7b2002b659de05fe01b65247a9ecc35fed7b88b6f4c5e0cebdafd5f6723cd31f3ae3769dbca28abab2806853cc7e251895b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9UR26M8S\softperfect-logo-s[1].svg

Filesize
5KB

MD5
57acee621c2578d8952e66be36243501

SHA1
f98de09fbdcfdf08485a9b460dc2c742b810d50a

SHA256
770cc580335ffd627ece7f827b4eb2a9e7f04c20e7959a1c8bd4d79831b681f3

SHA512
8556bf96310310060dcc0e668fdb20aacf882e513cac243841c6f9335f90f9dbbd8a65d50f47032a08e096a0e20595e4fb4ce19d7d8f64e261d930038bd63ba0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\bg-logo[1].png

Filesize
203B

MD5
ee55b4d347d739c3484222866d33ea27

SHA1
01a76737c918d666adc5b593225673e52b6d4308

SHA256
5b213869edba120f2b2fb3a5b75ccdfe8c46ceee97e615f1fa69bd4a7cb1354f

SHA512
a507395da2f8312859d931c5d0b16250dc5321c0e6dbde9fc1d52d5efd0bcdefe76e051d98deaea7af4a5437c565b274c7848ee02a335ec23a10c5bb5c00a1f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\main_windows[1].png

Filesize
40KB

MD5
ad164eda2425f9015b8ddddf0f00aa9e

SHA1
4209419389f5eed0454869d1603594381eb811e0

SHA256
2e072c108f892e4022af122896bc77e82085fdb301f713f7d4497fb869ee7a31

SHA512
223f8a0cff3443ed61fbc424f703b135ebd855b5a03e6c08b587c0c91c4c73a289340fe752a853a7c787e5ca99f8345afc8147e77b60716a8ce2b075a2a6b8f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\softperfect-logo-l[1].svg

Filesize
17KB

MD5
fed002bc0f7cd0c730a6e1aef8023d44

SHA1
6bfd4a2375f34801d608e6910f1b13a1c687ca05

SHA256
e3297c3718aa5c7392bd384c2c46cfea23ecc310e6118af8893c1979fe342276

SHA512
66020183a7076d7bec5ed6b70108e510114fee6be89a347435f625f76db498ac93a2ae58a76879f93e6e5e76d4462ff0d94e3eff55687b35d13709ecb5b4723d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\wifiguard[1].htm

Filesize
9KB

MD5
f46a2ac3d64497cc938b9dace12b2100

SHA1
9813b5b119c8fdd26b884818c62eca55d84835fa

SHA256
0aea1045fa905cac2576bd1323d7aae0754ac35a9bc139420fce1a51562470cc

SHA512
e2f236402401c284415150b4a0082e42017fe57327cad0cb72ab43b64e11934148509fbacc9c4f3a0357d54e56e203a607e631a6813edf5790dff714d0d102d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\css[1].css

Filesize
16KB

MD5
76944e2c174fee52c9a72e21ed8e4c3b

SHA1
fdd773dfd8c25c3b5adb3159c10fb0a5d2aa12ff

SHA256
432d52f3ce00de95e5f9198f28659b789562671059e06303a9c98f5e9d295ff4

SHA512
a8c8bf378901347a8390073e1aef5585448a093edb8962baae4d9ca4e8d7ab309126d2b1f702319388d85dafc15c09abe894938cbf014a5e42122d5b50ae9b09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S8GI6B9B\favicon[1].ico

Filesize
62KB

MD5
fd2053ac9e7e2e09a34cdf287a1f4c35

SHA1
1a5a45b59ef8378b27864e933145903a7de71738

SHA256
9a75522ff30e8e570ed1bcc8e092bfa061f332deadfb64781dd09e1a5f7419f8

SHA512
98784838112e7bea93f578f43de12cd87c7c259a1382645738bb82289cff195fd8c670f7f3951f6b407ad5027db9eabc3d2ed7b789c3cd0d2359e1b46e135fcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\logo[1].svg

Filesize
13KB

MD5
97d9f2e10784beeb3770af8cecc9c4f5

SHA1
574f3c9972782607fcab33a84f76b087ee3bdf6e

SHA256
af3ca3387a1f6b98467fb33d04ae6c13275484951088de37436f322aa176b8ab

SHA512
04c64a03c9a6514bd187467c9f5d2de521b6c836521de23645d5f98a5f4cc77b3cddfaa8b8c36424fbb6bfecb6d0d2cdb2b15622bd5dad1f9094fdd7ed34acb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\unfold[1].js

Filesize
298B

MD5
d94be89de4bb7e9de5cbefda965d2c8d

SHA1
22d338d4f108c29bc49045b741375e8a2dfe9676

SHA256
cb3efeb73d05da8a44efbd18fc7f4ae20575eabefa5931ece6f6044b025229c3

SHA512
3025376231979997dab0be52723514c96fa1252d8f4e36621e91835bec48aa6c26dce4e106d000b46313d75f053cb994f92fac01f98450c55ea5526681c97d1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZKZ95V4R\wifiguard[1].htm

Filesize
265B

MD5
47c35d4766147798311149d504f5c048

SHA1
3d52f9ff471a727fbb24306d0acb2515deccc87a

SHA256
8226888f87dcae7712e652da2eee1cc5603d89a489cd81ae36cc59bf0cfa4d42

SHA512
1063617c38404494acf4fcd5aa93564e8185bf0d03f0c9a3a88f68c82726c92db4dc7dc5cd47bdcea3c7795b403ff16a917875726b86e698b6c58591b2c3b139

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE86E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE86F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
a16053c088a65cd92a8a344f9edf81de

SHA1
e504dc9fb7e49cd493daaf1d15c11b7babc9d8c0

SHA256
5214f6a8de06693f7756a2b515f72baf8cc5da1d51921c79ffec42a657144606

SHA512
eae9546b40a6da16f7316250c8d8b8f3c11f970b50e853ffb4050eeb50a4b6c30c5f5c8525377b921157151cc53a44ce4bf3fa8b11c47ee94c6f176999461055

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
5.2MB

MD5
4ad69c1a5f6459baf6fb722edf533f49

SHA1
f47f0c62826013d8506700ec7c5c2a5f3dff6bc0

SHA256
16b23e2f1893ebfd6d98d5ba8f6ff45d143a8b5fa0672fadaf0e44be72b359b4

SHA512
0d91fc35dd06a457543f9163231ef39f6913052641a35e21d8f8e234705277f1ab3fd30072fbd2b880eff8f1548455d09fe6c8c4d84f9bb92424fdf3ec6724a9

Download Submit
\Users\Admin\AppData\Local\Temp\WIFIGUARD.EXE

Filesize
4.6MB

MD5
2253164fc86c103493550a99bdec3fff

SHA1
334a9e294f1862da6610e592c8c23648f1aef2da

SHA256
13e6f822599155fb327cf673f5aa719d4d58f94f2ba05c76fbaafa70bb759aa9

SHA512
086b73ac1f57e84a1e17be535ae7878cd1e34c0cdde5d4bf79609d73d14775a1585b0d1b176c17143e78be6420de495e87caf3edf8a7ee3bfebc62fe190a02ec

Download Submit
memory/1904-0-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1904-46-0x0000000000400000-0x0000000000948000-memory.dmp

Filesize
5.3MB

Download
memory/2672-44-0x0000000000400000-0x0000000000948000-memory.dmp

Filesize
5.3MB

Download
memory/2716-15-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2716-34-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2776-85-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/2828-45-0x0000000000400000-0x0000000000948000-memory.dmp

Filesize
5.3MB

Download