Analysis Overview
SHA256
d38e4a084a04993bf205a802fb04c83ab1436319c95605595bb274231b19c435
Threat Level: Known bad
The file 8126840a68ac0b59131895236692c577_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
UAC bypass
Modifies visiblity of hidden/system files in Explorer
Modifies firewall policy service
Windows security bypass
Modifies security service
Drops file in Drivers directory
Event Triggered Execution: Image File Execution Options Injection
Disables taskbar notifications via registry modification
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Windows security modification
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Checks computer location settings
Indicator Removal: Clear Persistence
Checks whether UAC is enabled
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Modifies Internet Explorer start page
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
System policy modification
Modifies Control Panel
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-31 02:12
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 02:12
Reported
2024-10-31 02:46
Platform
win7-20240708-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Disables Task Manager via registry modification
Disables taskbar notifications via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcontrol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drvins32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwatson.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccntmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnlan300.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedapp.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp95.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscn95.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nd98spst.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccpxysvc.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icloadnt.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebloader.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwcl9.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2k_76_1436.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vvstat.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UI0Detect.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbust.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ogrc.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectx.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdclt.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanh95.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNFNOT32.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOSYNC.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANOST.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPST.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SELFCERT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WXP.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXTEXPORT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTEM.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSE.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IELOWUTIL.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DW20.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCELCNV.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSQRY32.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETLANG.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DWTRIG20.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPREVIEW.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEUNATT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSHTA.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OIS.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACCICONS.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSFEEDSSYNC.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORDB.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLVIEW.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WORDCONV .EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2860 set thread context of 1764 | N/A | C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe |
| PID 2804 set thread context of 2508 | N/A | C:\Users\Admin\E696D64614\winlogon.exe | C:\Users\Admin\E696D64614\winlogon.exe |
| PID 2508 set thread context of 2596 | N/A | C:\Users\Admin\E696D64614\winlogon.exe | C:\Users\Admin\E696D64614\winlogon.exe |
| PID 2508 set thread context of 2904 | N/A | C:\Users\Admin\E696D64614\winlogon.exe | C:\Users\Admin\E696D64614\winlogon.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Sound | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Sound\Beep = "no" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://o7miyo13eslsq1s.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Download | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://9v5xutgqnyz0lh4.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436504530" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://9p0gazss7t8elao.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://615wr7318h4uc11.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://2j35w93w0b8419h.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://1579f0m1wc9e333.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000095e656d4331da74999cd4cfd61f705750000000002000000000010660000000100002000000015cec8f943fbe8b392844f954430f0152d3b867cd2c9f9e70cb19525fa47864c000000000e8000000002000020000000c9fd9e4436570167eaa76b48a5eb8a60350d9940ca11e0e856012d77328274b090000000b86b567b9a2e269f2ab5fe09a535cfed2e56550c0eab296ee09fa469950131bde9a7f3520e5c58bac2a02f80679530f3c96dfaa3c2316323f5c2586853edb6fb1ac67698378d54d1fae3f118ffa264c975b74c6c6dbcd9c10e2edf8c66afd77a943eb5d35469afc2e5b1836e1f5395f0673c808f0d783dc85cfb8e2c435c986e9db2e3255ce2960d9dc2e540cad2d85340000000b7bc46a8931dd9e9581e4d6802784c8f4c8d1bea4113b10c83df2d7d90e83af05ba3ffff5f117a48cf332dc3fcdd5cd40b1b5c1f0c801ba78e2760d623ba7a8a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{094105F1-9732-11EF-B4E2-F64010A3169C} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e584cc3e2bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://321nh6u1sp2uf5n.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000095e656d4331da74999cd4cfd61f7057500000000020000000000106600000001000020000000e7ff2fd2f7fead5001a7eb7a8e20fcd885e1bab5dc0d0b75681ce5a7435fa08b000000000e800000000200002000000062a0fde4347208f12350b69b951ede93b26919640103c1262e0b93f36d3f46c02000000050e9c69dadfa048d64dace47dd2ddf13c068d1a56796a008564cd6c7b0a05efd40000000d4bce429c18058e2ab0a09678fabe5485c81bc4b7385a3b921f5fff8136fe256d54d6b42c136cb473169b700d354a4a846198554322ea8e98a63963ce18128bb | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://m753b67257x7iz5.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://1v8y6140umdx5x2.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://1vk345wxzr1s7gh.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\E696D64614\winlogon.exe
C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:930833 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:2044943 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:2044955 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:930863 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:1979424 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:2831383 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 61a42funvm129u2pr9dj93536bctj1.ipcheker.com | udp |
| US | 8.8.8.8:53 | g74514z1744r85p2sa62oys4p55gt2.ipgreat.com | udp |
| US | 8.8.8.8:53 | 8ga560w93bjcho096p48mw1tpo2932.ipcheker.com | udp |
| US | 8.8.8.8:53 | whos.amung.us | udp |
| US | 8.8.8.8:53 | sgvvz2030668n977s3v69jvl51640u.ipgreat.com | udp |
| US | 172.67.8.141:80 | whos.amung.us | tcp |
| US | 8.8.8.8:53 | widgets.amung.us | udp |
| US | 172.67.8.141:80 | widgets.amung.us | tcp |
| US | 8.8.8.8:53 | 1v8y6140umdx5x2.directorio-w.com | udp |
| US | 8.8.8.8:53 | www.buscaid.com | udp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | www6.buscaid.com | udp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | btloader.com | udp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.180.3:80 | o.pki.goog | tcp |
| GB | 142.250.180.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | ocsp.starfieldtech.com | udp |
| US | 192.124.249.41:80 | ocsp.starfieldtech.com | tcp |
| GB | 142.250.180.3:80 | o.pki.goog | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 8.8.8.8:53 | l3tarsj412lj56s6rw2tkc2xeg2eaq.ipcheker.com | udp |
| US | 8.8.8.8:53 | fjrvn8zs1dak3j4jrvz42i02t537wr.ipgreat.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.18.190.73:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 8.8.8.8:53 | kalj7ur2m3ltr8l3l2zw9wy18i6294.ipcheker.com | udp |
| US | 8.8.8.8:53 | 06u6tx6q359gug1az476qx0g118tlp.ipgreat.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | www6.buscaid.com | udp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 8.8.8.8:53 | 0xgw7ct13yq3ap0566l773g20k0s6r.ipcheker.com | udp |
| US | 8.8.8.8:53 | vqi46loix896f413gxjp7fh4137hcc.ipgreat.com | udp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 173.255.194.134:80 | www.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 104.22.75.216:443 | btloader.com | tcp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
Files
memory/2860-0-0x0000000000840000-0x000000000087C000-memory.dmp
memory/1764-7-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1764-6-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2860-5-0x0000000000840000-0x000000000087C000-memory.dmp
memory/1764-4-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1764-1-0x0000000000400000-0x000000000041C000-memory.dmp
\Users\Admin\E696D64614\winlogon.exe
| MD5 | 8126840a68ac0b59131895236692c577 |
| SHA1 | 9a610c195b9b153d8f31a0cc786f709372bc81d7 |
| SHA256 | d38e4a084a04993bf205a802fb04c83ab1436319c95605595bb274231b19c435 |
| SHA512 | 74cacd4ddd9253f960fac294c36c13e9d7d94f10808622db2acb8cdefd5fe65ef6e603313a8996322f11c935bbebb3c5a58253e5dcb879f95a0c674845a2e4c8 |
memory/1764-13-0x0000000000510000-0x000000000054C000-memory.dmp
memory/1764-19-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2804-26-0x0000000000D10000-0x0000000000D4C000-memory.dmp
memory/2508-30-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2508-36-0x0000000000130000-0x000000000016C000-memory.dmp
memory/2508-37-0x0000000000400000-0x000000000041C000-memory.dmp
memory/2508-38-0x0000000000130000-0x000000000016C000-memory.dmp
memory/2904-39-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2904-46-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2904-43-0x0000000000400000-0x0000000000443000-memory.dmp
memory/2904-42-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab650C.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar65BA.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bac6b94b3a240774bf5680a3a3d7b14e |
| SHA1 | 82512190ca16b27dc03c8dd15f8c05c6b953c62c |
| SHA256 | 317af094b3f43c9250e6521e43fb837f4afe43ec6ba3489a2685a78e5085b351 |
| SHA512 | a38b97e5fe3b3685a1a613e4f0efc4b370f101539c330edfb095ef79f7a863145fbc1b8667539f6d9bf126fbe84f6342e87d5a277a452df8a20cc744ef3039d6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5bdbdcbb4a5d5aa6d7a11c90fcddaa26 |
| SHA1 | ee55fe4cf057d012a057f06c18f09964eab43d51 |
| SHA256 | 35d3ffd346dbc8584ea7cb406c25aa60a974f45e5c87451a6b0669674f216b98 |
| SHA512 | 77cc059fc36d76e2af00d96df480dd9d49aa3fac5f73d505344de704d9c1faedf2d3abf84f68d3b01394cb2e3b7a0ae5fe8bf652fad7e1d4a423676b902a3b77 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 288f9b7b3145f964f26fd154a81eb56a |
| SHA1 | dbe7bdcd7d42c9c63f2c3ea9bc06cc2d1b957ac3 |
| SHA256 | b477aab4d7926e68f40766aa374765f1d98c80895b697a4d009a9118ddec220c |
| SHA512 | b9202f95a30b1d9f5aa1b736f0c3feb6f626333ff05d7198fb73f6e53fa47eace39a8563d20a372fa921bfa401ed62c28a234f7362d6e8ee4d3aef8e7454f41a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 58f842c2f0f2683e8309fba939f59eb0 |
| SHA1 | d5cac90f20b1e75374019e77b7179a1354168e7a |
| SHA256 | aa9b340573b9328218ada11b4c0f0791dbf6e21025927506a7396057641dcfe9 |
| SHA512 | 053cc7d49b253391a33573214704b65bc106723e0c4bbb3d625d7bf267f4b13f9aa26e41e2f6a9956460a1f19cd14f2b5c8b00794e77a250b69224cd2c196969 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 40d683e99dc55c55609f717b760776ca |
| SHA1 | 9e9c331e06215a7083ac1630dd7df085c7459c8c |
| SHA256 | 0ae6bf26f19dced6ca09e7925dc7752e82d71bb4a7fff43b2199fc38e0ab06f4 |
| SHA512 | 609ddf5266a926a53f52323a9144db580a98be435196b73987171950b756cf10ff37b0cfb861a2f37515c46634781d39713658f80557f5a549695a20424833e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a01b2855e672db2e7499602750e9045d |
| SHA1 | c2ce4274810ba8519255ac32629510eaa01dc5f5 |
| SHA256 | 3a15b00afa5cd32ed489017d496c459e8fad6f866193dc782cafe435713ec7de |
| SHA512 | 0b9b0c36b892ffd45a9dcc8150ea3b68d1132c053134a76ba7de355809efcdb6a219c7ceaec808b5e52c2a8dde3ceb28c207142d00e4cf2921f7b0a9ff74b226 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a5d54836e12fd5f528e980a8b1d0bcea |
| SHA1 | a9f17686f324bdf0069a1ca2e896d83d9b7935e3 |
| SHA256 | a87167de96636a1bba99025d8688d83ec37fa362cf7f0a356e423a2a11ee5733 |
| SHA512 | 2b25cb82a50c94f500a602c3806abc429aa0207f6e46b98b928d3d5e1493bd43227cccfb3d4a7ae4efbdcb05ba23dc8db11c47d60fd4e28745c2408ed054b8ed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d481f56f510da9b1b272b3e966c17055 |
| SHA1 | 4dcbe0c84ad5d8be0db744292d3c11b439c621c9 |
| SHA256 | 5942985b5197b76cb5c6af1a414e27c3dfcf010ee39579d5911f7846c1eedb30 |
| SHA512 | 2cc9c0054c47adf661f33cf892da4327804baf51e3f05d9738f0fbf55aa003f0de3388813abac5c5688b0da82669a3ddd7d2d12abeacc838fcfd6933bac42560 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9fd7796e3c14d52f3b38a20ac85753dc |
| SHA1 | 8f86437a63a80365439a4febe26dc37acd3d2ae2 |
| SHA256 | 32d54facdc4ba539dfe3f034e83bb2b5eb41485ab7c6130150dbdbd667d01643 |
| SHA512 | 27f65a2df510d6e9623cd9438fb75e8d28804539d076eae17d34bbf0971c1d8cbb12eeb79a4b300130b9ebcf23f922ca77d6ff79d027f5c1ee0bd55aeee97006 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7e0d9d5b6d71cfab08705ac72483f4aa |
| SHA1 | 7ebf84cbbfc4ff8632eed732b6e57d00ddf88466 |
| SHA256 | b4a04348b85b0bf6239b6dd82587e0017adefd31e41421d08b0d3985e57f28b3 |
| SHA512 | 64b36e5ceb09fc9757ce9347c1759e97aaf555bbc85ce276a538b29eaa2d345c070bc154c906b62c6f3c3789f6ad5c52b92d9812d43837a93667589af6489fcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb0b2b9cebe89d1e51cd66bd4f9f9afc |
| SHA1 | cd7ad47b89594bf8d5e53f9b34995aa1aa961643 |
| SHA256 | efcaaf8e11bc7256ffce17d7e63303f3c65ec4c9beed991c1e066e37d00f3bfe |
| SHA512 | d0d0555c1e625e1a8379040f20604ed18911c5a483b5f8cfd350e4ae719fd75a9f1630ea5fb7ad93cecfcf85a37b5de1109f56e13ad9f57e4e660527b782cc80 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d061c2257bf89415a385e3ec300906bc |
| SHA1 | d8de7d70ebbcdba607ff9129299f79ee3d4aa087 |
| SHA256 | 861859f214317693faef09ee10ca63a0a128ed87b261e2fd9aab58189ec95829 |
| SHA512 | 550611beee76677871233917c707ab438d29798e3bb6913e25ffc74c5e6df0ac2c89c0698fc74d9b20a90123677d5a4212ef7ce62f7a33a1c2eb6fc19735289c |
memory/2904-593-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | ba64c8927a3d2f0573b0db6487add89f |
| SHA1 | 646c1faafcb25e01206980f352b3530e189ba9ed |
| SHA256 | 746f39bc75624c154bba8cd7419eb2e00f9fe5420a04d2eb8b5b2fdee35ad830 |
| SHA512 | 4aab49f54747069d3c2cf9d134f388a559f8b93b4ce1f3d5d860fde94eaf01383f24cf29a547453cbcc51be5183c4f791d7f36f003982d7a6656c1c5e175c194 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 67e486b2f148a3fca863728242b6273e |
| SHA1 | 452a84c183d7ea5b7c015b597e94af8eef66d44a |
| SHA256 | facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb |
| SHA512 | d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | dac86f6676b6f14b52578dbd4394d0fd |
| SHA1 | 053a5195d8b611abdcebf74d9a7b46b8d70097d4 |
| SHA256 | 8097408238997c4dffd6e6185e2ad8e0bfb863a4262ea7f9fb2719462a6712e1 |
| SHA512 | 3a22ef0437a62daebcc99d4461afad79f99d88f057fa5a9aa68e930ee03b38f373bcf20dd3381792f86a41b0ad3760e2ef09b8f8b14264fdc58287ff858a0bad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9
| MD5 | e9855b3c6f08d1f2c13a88b4dc7cb955 |
| SHA1 | cc43861c842b195cc022d8ccf9f6984ddd88d4bd |
| SHA256 | 7d8dd79e5630070e5ef07b78bd2e586528b9c2807cbd88471088b35e31f37828 |
| SHA512 | 3a04b7125a7d2a1403677b2c5a3a91cf81101093a004255034637aeb4dac0b96687b454e8ab9dae0e6cf6c0bfea917f3caf6237d84b7f52f8246ac0c290952a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9
| MD5 | bf78158fae379f98f9bdaac5d8ac400f |
| SHA1 | 9ccc1cd62704b62619b3c316de2f83f9cb089782 |
| SHA256 | 01ed110e8b0dddc7bd85e3bcfff46e4fc90eaf6977da2f281045befa691d2823 |
| SHA512 | 186cd241f95fa5d99b036c94286ac5e60487fa31433149196d38891a77b592fe7bd8318aa46040e21460c7e38ade68cd137a73600be46ac2abf5d80276eff238 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
| MD5 | e935bc5762068caf3e24a2683b1b8a88 |
| SHA1 | 82b70eb774c0756837fe8d7acbfeec05ecbf5463 |
| SHA256 | a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d |
| SHA512 | bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
| MD5 | ae2383c77f84432d7be920b06b0defd4 |
| SHA1 | e6586a1bc19d4535b0174e2396c01ab916dd9014 |
| SHA256 | 30f9333261f40999bdc967f9a4702bacc11060203f42e12f1c863b804fa62c5e |
| SHA512 | 3fd2eb7dd0fbd8795fd3e28da214536629f9c5f7afbdf4488c5a7119c4d2884e58eaca1549f7caa90ce048488b50b6ba564770cbddac06315b3c40d8794c0bec |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f7a542507e069d28b5332fec3b44bc0b |
| SHA1 | 982120c37be28d4a01f3310b2e9d96179e74d7d1 |
| SHA256 | f0a618ecd050609d32d8c57121c2fba4bcee869f0b7c8a4149e7f6ed05ce75e8 |
| SHA512 | d07bf83c7e5e2abe8bd44775d8dc7a04a21d117858648a3a362fe2f577d9e2bc2168527a0d08f2816d069b850dc9935e9e3201acf81325e1d132f47af470d5eb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
| MD5 | b44b786694bfd96d3c090058dff2efd9 |
| SHA1 | d1d8701831fd00e083b82703c42e7f3d5c9b53a9 |
| SHA256 | 677c2e00b2bd2a8bbc4721cc7ca4ff0d5ce334fb3f8757396c7df51bd61ba989 |
| SHA512 | ad9a05daa2d007c42206ba13277e85f275f151ae9f7f1e4b1844e743a157c91cfc66bf2dc2068cb8279c5c29604a6cab7e961de7e45cf273f9211cf5d0ac171b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b0a42d9bf6ec655e462720744c003728 |
| SHA1 | e76b9937f1fe416fd77aaecc2d50d05fca1a2d06 |
| SHA256 | 650594376e14828c3bf8934099102625e40ba42b2c90da87fcbd77bfb754c872 |
| SHA512 | 7204e8cc9e4c425542f651871a6e79ad12fc5ff9079de5e5ab3036bef2bf241576ace629ff9c1e1dfd67f2a318a32ded4823d918c8620cd685d3931002a39168 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
| MD5 | 7baab2145b2248bfb00cb989f6857d57 |
| SHA1 | 532c61e53b41adc0161db7f36c6495a769d55bf0 |
| SHA256 | fc14bba6fda5e38034402c001a8cd65f242dcc1f883cc8df637c00b5ad9c2dd8 |
| SHA512 | e9f580201e5d9aa8577aeedc7d7df663d22eb3a8d39307ea640a62d7f28a5d67aa7f78834d9784e4ddb6a9b018babf2b6a3d1ece635d8345e1cdff757ce7e7ac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
| MD5 | ec48c020024ca393990eaad1c4166bd2 |
| SHA1 | 5645e6a65c6ee1cd0491f7bc417d22d30af7ff4c |
| SHA256 | 36c5f4a91e0125bd55d53e618441b88118d2b043ed2c162e0406b2b257e829fe |
| SHA512 | 6102a4c3a19bf097e918925c09088734aa1cce998803d7063f6900b94ecc161560d3d5bb3201a28cab8a944040d59f18df4bd4704e148bc98fcd2c7b73a4d9c6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
| MD5 | f7c322d89b848908953d539db567099f |
| SHA1 | a08d200d4705c70bb4b05b0d245d0471728bd097 |
| SHA256 | 3a0fba92ce8dff4b9fca701da6d3ae5bd47249756d5f1bb3c63a2eb8dff3a951 |
| SHA512 | cf194f6be7528f5b5c751e37aec7efd6fcd16ecb187f34d2bcaa89489ea06ecffbc4e2b5698abd6572c9691af342e4a2cc20150927b4769ef4fe0c89cc8bbc59 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\main.ef90a627[1].css
| MD5 | 3f821ada778691e677aef2cea8c4b4f6 |
| SHA1 | 643e7b729b25c2f800469623191dc837798e9d50 |
| SHA256 | 7510035d553a99fbf93eb67737b2df057ce096fa1ed7aad83cfd559e11f2320d |
| SHA512 | 8993a8ad28ed4035a022d1b7274c77a97b8235b2ddcd5e6d29f7230d375851539900d4ace652c94c4be8a8284ffd86501df420385a6e680df4222c162deff4d5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\tag[1].js
| MD5 | 78cb756aa06b07c207880f7b4fbb721a |
| SHA1 | 6f96c8d80d2281afe016f345bdc448255740622e |
| SHA256 | cb666c470a82988da4f29bef5b1f8f3e1d4119fafc9e78538cc0e74f17c8c338 |
| SHA512 | a3fa57a8bc184f2561164395b9015305bfc6b4c1eeffae5a630395a21f730bf8a0640b4bc5d948d6f0bc78e3f6c829517ef011f1f78db0578272d8a1bb1aaa21 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\main.a345b721[1].js
| MD5 | a45598e4c3ad88168b72ba9e56f9db3e |
| SHA1 | 23ca76f52fafd8bbfee3426cc2202975a43d7450 |
| SHA256 | 9cde14ce75189208d1475f90c0cd75c31413d95f1c521ed0be883d3a5979647d |
| SHA512 | b719742992b9e1bd9a0f6a7b98eebe32718bdf1d4fc47ba3e1c0d5c2991d0019013cc5a6c1ade7416077e8136b6c24869cca87067b67e9bda6610743f6790241 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 795fdf71a1c15172511a1caefc1acc00 |
| SHA1 | c1175338460612d258ff9763ee62eef58141dc93 |
| SHA256 | d6642f5689531d601e3d2d657adad8ab66ba674d05f36c1aed89848ca62192a4 |
| SHA512 | 4657a9741bb84c523f09a5bbb0d0c3a1acecb8904e45e994c544d7f656c9d3ba6c4431a05b1ce1a6aa616f32c503c75853fcc1204461b3fd4e62164b3f4b2c57 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 3755dc974dc983c89c3eeb17650ddf77 |
| SHA1 | 54142c635c10f3babb9d8b1664be790718e96d0b |
| SHA256 | 592115ed4f1407febb0ced51e613ce66ad32d84143bfaed2c5990ad439a3cc71 |
| SHA512 | 6c2d76c24a005cf92121e2ec96ea1e6cbe93d6c2c48c910cbbea411841433148bfadf47c6ef85d5e7ce8b33f97ccc9131b314c8f9457b7f149ddb9451d02d95c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\lander[1].htm
| MD5 | e15c460ec7ba9ac34c90a95a4d8cf472 |
| SHA1 | 7f87fb6d10fa8b1d88972826b2fca27278fbcfa6 |
| SHA256 | e3645f226c6d2b938c261bdd3682a245e248f56e8cf7ef6d8ac30011d7ede8a7 |
| SHA512 | 5b69a590abe2c9289db9d09886fc74478dab94d029438a1e2bbc2019a27e008f776c838fbdc3a9c40b4dff322c8510cb6d4f34ab51cf76a40cedfac14e97f070 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\K24RBSJD.htm
| MD5 | dfeb07871e58cd3537f30da5fad9ca14 |
| SHA1 | fc52042fa6ee618f89631335f61c067893d024aa |
| SHA256 | 8d9ac95b12968978fb7ae85bb9a6d968cdd3f6a22c5cc772fe7fe129fc31f66a |
| SHA512 | 6e006480d85d3358a6f7583310b0de2311b174956ae3c8ab3f3af24095b984418b6b9277e746c5c55a14bc9cf7d41f9822d03767d974301a60029f8e6398faf3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 6ec969909b8621412aa4bd1cfeac7425 |
| SHA1 | 4649c4f3206c076966bf0afe9c1a9791f9db766f |
| SHA256 | 457217b40524e3d387e63cfb37dd7eda17a19b425af8d5d83b3a8f18fdf1766e |
| SHA512 | e67fd1ef72bc6c2a2bb56311a5d3a8f56f07c85a6caa98b1bb766a411fe8fc6c367764c62c90e6c9c983423d9a692e44e7c76fdb290ce1a3b00819ee1f7df918 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 50d0f5703ad5b20964b0273a14667a7a |
| SHA1 | 0979e3c7ab429303a2d3ec776d0f3cc765170a34 |
| SHA256 | fd94c0b40bf2fc0155453238266e542332264c5b8391743ec0d96002563e6f3c |
| SHA512 | 0c3eb72b89d23c3524e91c2ec4c58fbc987362fbb98426affad4039dc4cd2cc5736092c0c347fc8dc022e8a226c2a1ff97235470ee63e9b1750fc971198e7921 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 258e844bb6f7a54e0be781d9202ce842 |
| SHA1 | 59e8af133770811ec401d428f6780f0922a01cc4 |
| SHA256 | 5ecf919819abe5b948f27a2df6cc20b8e9bdebd38bb3f92701c77778c8c14d8f |
| SHA512 | b2bd5852409c5c6dcf239cdb48507ca9fc9b9f8b2e412d1c865495e01b6dc174ed6cb7ae96b12377adbe8052172b6875b29646f48a44823818894a1226c63b65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ed85ed03cceaacb9e0b61974696c4d33 |
| SHA1 | 19cae7c5fc5f36a9e4f243e0435c4cf60e98c5b9 |
| SHA256 | 9639458d876b68307f3298732f96de5e78c07b3bfb454a82169dbf9a708067f5 |
| SHA512 | 04b3e1139fa6064c38f557df4420aaa47ecbc7769200721f322984be5ca280878fe3db4a1de2a8cdf8c4231c5f1574f52c3d13bf0f153cc4f63c76b7b22336d0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e76f8fd47159f90962f1bb286b90fafa |
| SHA1 | bf4b4684d4ebddc1bcb012a7c04bd54420a5a4ff |
| SHA256 | 8bf71f756d6987900c29e84e9e35cb0f5ea7ef8d421ed67218b261321fc4429c |
| SHA512 | 2e08864603e08edd5179990b012f28d2d5567b1caf7503f353cdaffffdb1368dfc5d0d9c7023a9ff0007ff6b2e3f6e6ddf45ea8bec3a1cf5b205a1255bf67cc2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1fbeab8cc73c08d314e562ae6cdd8ccf |
| SHA1 | 0e1cc30f3541eb5b8991cfd5e1c19935e4e7698b |
| SHA256 | 3b34fe00840e19c62fb492c2b1237e8c5133a1c9176a234cea6d581dbeb12676 |
| SHA512 | 49cdc60b4a0aa827b4af5d3c7e17560df9126015539357310b6b4009f266c4b354919992438cc27ccf1cd7a2b154a1c372c26bdb7c1c627a79d1849a109cf084 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | efe2aa3710b0e0d2bd61e68ab5235e0a |
| SHA1 | 43745b5e01b31b03b041f009493f85caea08f61e |
| SHA256 | 63630cacf99cb6331490228f51b4c52ef9dd45e2d13adae07c18cf6114b1b827 |
| SHA512 | a5ecd72abac5e2a0e3aa4c3257a39a9f52b88a71e2adf5ed1d6a70a47ef3aa0a47b6014e06e2f179dfadd0091fc8fb4ce1bc592afa3cb16fd33db6a2aa71791b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | bb370fe147dc46c1be43098dc4cbb5b1 |
| SHA1 | c4035637e412a4709507ef02768fdb537ec05548 |
| SHA256 | caa780a9aecf00b2def1e456d919eea51f06d4da83d435aa96e6113538406d9e |
| SHA512 | 0713f9d7817d68d64db9c3cd70124015f2518a8edc6682467b9ba6713b54875cdec2ec394e01918ed1700beb85f90b6b92aa13820251ca0bd0c4d4b3b26c5be8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ede10794f4c601081772dee7cd30e33f |
| SHA1 | 7df7545b9be43acace07949e2002eeb40be0248b |
| SHA256 | 0259b7b81521f22ed1af97964ab8845e505b1257efc8f6c36083cb82ce36548f |
| SHA512 | 6aa83900059c5dbc525cae2190871d24c76ef130f72c916045c5bc16a827500291037bf845bb3bffae16d0d1c02c3888d1b45ecb92d45d24df73843201b8ab10 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5583bb76d57f2fae625439b5d26fd7ff |
| SHA1 | b619cd1682b9f1fd48d8431b9077a9fb1a445a41 |
| SHA256 | b7835bbb42a46948e99fe375ed321032427632e9eb5c793435e36ceba9880a45 |
| SHA512 | 4ff0b95a7f692eadf31a6cf93fb1ad10aa6239372f2fcd150971a168bfd002689b891e9a197e6c3ae0363ae093f61c2eb0db1dc769af79ede91b4414e7790bc4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a47a62470ea51ebf179a0b887078a3e |
| SHA1 | 8d9fa56e4754bca87506f7f38996a841556ec0a9 |
| SHA256 | 8d7d6603172deca21a1ab4782650364d26fcf6e6c066a753205ed275c026ea08 |
| SHA512 | 30d80f04e143ddf49f008b642ebde3405670b4a8f003aa3882fe0bb6ecb681a5f295f1cf2f9e1a249426b6a9e2c079f47460f9b7a573691dee97f59c648797f1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\caf[1].js
| MD5 | 7b5b5acb8585466efe4ee1675d46dcb5 |
| SHA1 | 84bff504a1b14404ef4b288465c95d454b9f6b4d |
| SHA256 | a4307735856c3205a21f0f6d40dda07e57a2d21d495c1d1a386581f7b9f1289b |
| SHA512 | db996d431955302468ebf45fa08be60aadb0934507d5b91743ee2ec9fe40d8b8f3722ba03b233fa6c0738bab3fada3526c980033d704a5926637a039da0ec9dc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
| MD5 | fdae27b090d9a0741aed17ab388b0a70 |
| SHA1 | 7e56c01e24ef2d2fa8e18ca33c848aeb058a435f |
| SHA256 | 01ce9959d361a7ea575c73024e7f49de548feeb488273b0645596f9178d1962f |
| SHA512 | 8a90b5acb08a04fd9304e3f0fdbb614767ab4552e3d89ec53ea1c9c5ec14a2f11bb549eec0d2340a9fa6461aea42c43e6883699043bb63f3a8cd9a8802bdae01 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a1d8d59912b59ead02de9c6f160f0cb |
| SHA1 | 28205d57b3760831603020e7f963842f2b4480fd |
| SHA256 | aeac6ddc73e5babeabbd81cbf7e13e61d2dc6507ed8278dc8a9abd2a164918b5 |
| SHA512 | a50bfb9d13e8c42fce38f11486406f25cc836b9b29441aa9d4851a2c0d9d13d319bfd81c0df722648271aad948c21c3f1494ee2072be13f9254d36055dff7316 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\caf[1].js
| MD5 | 0f190477fe91af746163dd0b1acb0592 |
| SHA1 | 5d4e1021bf48afa7ad5b62670bb3a50a0ac7566c |
| SHA256 | f83c8303e4124769ff07b4340f4e6f9bcdbef4a3d508208a96755ddc5d6f9a90 |
| SHA512 | 4430a19bfc3d2262de0b1c1de6751e51d37d0f861c1a2d045c0320f909fcd6ca240f4ff8642b6efc52ad27e1598e61bd433bda08da46f3a8268c81a7706c5eac |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\caf[1].js
| MD5 | e69ac32ab1e181b296b5d71cfa1ef63a |
| SHA1 | ad1d570d7a5fb3ffc42ecefe1cea13a9fac205c4 |
| SHA256 | 8d0dd55974c027b602fa403e5372a69dfc99c122fe9e1983f3bb1bb3dc28dac7 |
| SHA512 | 70a990c4f0e5af5074304b2f625130e2741d8c532a05c603adc853d184da203eb51859e66e998539e57f3cfb4e6fad6ba8196c81ceba03b6c1ae7e85afa1b243 |
memory/2904-1349-0x0000000004AB0000-0x0000000005B12000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 02:12
Reported
2024-10-31 02:56
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Disables Task Manager via registry modification
Disables taskbar notifications via registry modification
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmntsrv.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc32.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alerter.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navsched.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccpfw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\callmsi.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwntdwmo.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scrscan.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nd98spst.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscanpdsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostproinstall.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamauto.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenericRenosFix.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npssvc.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostinstall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecls.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-agnt95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTDIALOG.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTISOLATIONHOST.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCEL.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOHTMED.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRESENTATIONHOST.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRCEF.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYSTEMSETTINGS.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WORDCONV.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSYNC.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTEM.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETLANG.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GRAPH.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOADFSB.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCORSVW.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOASB.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTE.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32INFO.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCELCNV.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTEXPORT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGENTASK.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEINSTAL.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDXHELPER.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNTIMEBROKER.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IELOWUTIL.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEUNATT.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MICROSOFTEDGEUPDATE.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSFEEDSSYNC.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSHTA.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOXMLED.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 512 set thread context of 3716 | N/A | C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe |
| PID 1664 set thread context of 376 | N/A | C:\Users\Admin\E696D64614\winlogon.exe | C:\Users\Admin\E696D64614\winlogon.exe |
| PID 376 set thread context of 4008 | N/A | C:\Users\Admin\E696D64614\winlogon.exe | C:\Users\Admin\E696D64614\winlogon.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Sound | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Sound\Beep = "no" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1070936923" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140672" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000006d569d97abca0f803d47b7ad8396921473e855d8ff80fc5be1ab138e6eb7c77d000000000e80000000020000200000009634e6338f029b32a9e3cf8ef4cd0fa20ae5752e98b1aaecb728de397e240b2920000000b57b30cb10909c71256ad5590cc76dc4866098c54a418577640e03ca7fafe07a40000000eeb6357a1d3d44f7776209d8a3a34f622f60a327bb32524968feca495a04120ee69d77615ca77f5e703520d49ed956f84ca8a3c0061170493a76fb5b2b85f8d1 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437108232" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000b58b885e8a7002b6e625080f2308f4df18aa61dc3f17cf94fc1a08039129c23d000000000e8000000002000020000000dff2cc63c473bcc589b6c05c0f93d925f791618c581e852439740b11c666062a20000000729aaa83c132faa0b7705ab2d98ab52ff9b66d4ff31eaf1014471d897d1b622b40000000b39fd3e7b4b7a9c25437470b0c22bdfe2178c21cd8e41def669ba766a51a46be064987113d1168da86dc48565db6485bfe2bc2955f440a1bbaf846fc354952d9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000ee1a1f2dc0d094d70ca6ed933b19e6cdf4a49cf15cf0d72622fec202382e7012000000000e8000000002000020000000cfed2eb336e3f2fd0f5152629eb7c38232a633f6ad32cf72710d3c08a8512bea2000000061df3e71d3f5011b2690b2422250e2bbfba77baad8a7897dab4624c058210679400000002087ab9a51f6853c95c3bd6a13960dc879a5785835a9dddd0d7a608f3904e500ba20825f83550f6cbcc2edf3ad75b6540287cfe56f63b453f3efedf6d8021b33 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000065a950fe7baa3f1dbfebd61e21d6ef170575f5c265fb701fcb54debabe12ffce000000000e80000000020000200000007ea859582887b03f47fddafece88cff2dfd7f957adce04df064c5388b7ff28622000000027c624b79ddd37451a05096a21608791cc6983ead3f6b254dc126fe203866d9c40000000a7d4b6ec81e8b34c7ad1bbd6e0cd126df631c978eb63fdb534a3790d3a79528053adcca9fa3acfa9a9e4f6dbc38da25cf3ab972afc3c8d41cc96e5e8e1bf4d11 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102cb46c402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://7802os2tclomc07.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000eb613c3ae7e8e8da6bc38d1e3e787974736077152305a10e7ebeaae8e5a04a55000000000e80000000020000200000006c2090d22a034a2e05d65fdde6ee7e7e574ab430ee33d652505e235c408d02ee2000000054b072b7382c5b03bde5a1481bfc3926dfcec2069802339bc8ebd1c7f43222264000000091f6f9073bf87f91c0002d03fe8a47d3d2665f8da2570f521606b463865bc17991eeadf2e38e64046f3786dc5905610a4e8f719b2b1e07cf5161c1adb70709a6 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0145257402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70765350402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000a5dd159e6de570b898b60bc797ecb83285c43b6eaef733e05c0de8769cfc627e000000000e800000000200002000000052c8662ad571843fe8f0f528546cdb7ddc8a88bfc1bafe474a09655f5f2b0d3d200000003af0d826efc6efd50f1d29cf93c71b5e453b7b827cefcfe37a3c28c729aa27bf400000002ad5e4c096aa4494c83fadd8224ec439546e798381dbe1316081227e9b672c64e42c66ff5ddc73a85b090b5d7286159a86422a03a584b9b10512271f67c21e6b | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000042c417198a6734efd6bd244401b86aa33822dad359ab1247f0f81dab99122f1a000000000e800000000200002000000011f6de9939e2ac224b87f097fefa93a0c3bc3981599dacc3c1c0f0e8e3476804200000003d690a8effa8b6db841e05f6ae89dfadc317965ac069544b1ff2e5fb24c6697340000000d5a7d3f6e5eb0fca9547d8e94c48e8342737d0d0191c12cf84f439f9ffd859fe477d54b3f3a2b285862b810b3bfc8af11c057c69df570480b4c2e7191ab4a387 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000c6c7f522df86b8efce5bd2bb825b0b5f7e778cff67fbd1f7f27c1262c8b69ce7000000000e80000000020000200000009cf4f21d283151e84b12d7485491320ea5b4a5c16cca01f6dc2bede6962f69cd20000000d4c3a9e31d681aadf548a06c25a41193c61efa5f3655ae7c5db3a7648e4bced340000000d53df888c19276f34b9dc69bf00ef137865039f8b0df2994a8560c175c5d8b1af5099f5e04f459e76a6bc6fc848a8e161f4a0a0c64ebe5545f51e91407cef642 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7014592f402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140672" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://z548qjnsyy80x2w.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a048013c402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1072187176" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70dfd442402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f74948402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000db0a782b812c10bba7d8e7ef57c96433586152e91fea49cc0a23c820469fe2cb000000000e800000000200002000000063ef3ee11854f0b8d56401c55363cb0b16d2b187375e75b657554d0c41dd991b20000000b1ac671f665e13f273550ec0274a1a60afd3ff4412a8b9d6915d44ffe09c6cfd40000000837299aed2fd7737252dce63c24d2ec213e6962588e757f7279799f3c84af38fdf17129a6f27ed6e52a06bbb8a4ca68ee15df4ca6102833105cb5224d9bd0dba | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000007e7070226fc0804c1675de4c08e570226a386de0a35d9ff6530e1df406d82d68000000000e80000000020000200000000e88a9719e2ef12f73de2953276b399b1e8772fd39351af55482a356dc824a5520000000d358dcdc1399a97471e5e879452027dc680a89637340ed9df68f1d31a17e850f40000000ad74a954b32ab03e9374d27955ec4d8455d1e942ef70a05783b205ad23b4bb27e8ff73ad4d4530c37cfa195d45f9e7205460f93f7766a4bb4347a9ddf9fba8c8 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000f24800e02bf3f4274a215ed2c583542bdef509dbe12c85f1727d3c128d20ae11000000000e80000000020000200000005697cc6ff0bc6bd49a4fb716f2612c490f6a8cfb6927f4b4448a9d9c40ce786a20000000ba0bf7113c9870a044dddb4c688d28fedc08e62f1c7221220566a75521f7c84240000000fbf8d3e39ea18bcff901bbdcdbe4bd424a67e21e72667e72f64e6cb462159ccb932459808033a7394ccc280988ee335d9408f4aa8734f1f18204bdc6b5178a5d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://px3pj6420c4m1t9.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1072187176" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0697649402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000d1e66fc4038e215f446afe02f1430b887e91085213d81eafecc9e8abaac17cf1000000000e8000000002000020000000ce2f95f1629ce73e4ba08fbf537ac7d20b8da92fac90f840a88bb4780cd09e4020000000225a5b724210fa426eaf56e895f37f294d2c9474372715874e39abf90b205be440000000b7f6d8db9d9a0384de84f0064fb1a5c77968654a5f04a0144fb03566d6a9eaca84c73c9edc97fcc2a02326971885ebeb6a702db22b0251ce3d15d06e48baa15f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000c047b0cd0fe18cc51034eb777aa2e56f11eecb1bdfddd587d1babb3409d452d4000000000e8000000002000020000000a05463b846e1aa1b6aaa3d90a9b6b5778525be25f7c4d3e037b654ec7c96c6022000000097af54c676c876e7afe696760d6ac7ff5e8e678d5e93ce0c834c6e7f10f6796840000000d5e5ab8af75aaa11aada6093872bf8c431fe7bacd62aad7a317f9fc3f7d3464162fdfe32a2896ba265064964a094817008449de646df46864c4dba8ecdd6b9bc | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000049068dd8204426a30cbd3d9f007ec2f5f4a0cb8112562231feede379a66edf2d000000000e8000000002000020000000f2476e8dcdfd246faa903413ea35a12a49fb4e24476e6df682cd4f9e699ba046200000009e5ded80099cf695c266784ab51384c3d135c81d39a594abe3a3991c3f23803540000000b165d4d6bf55f0fd55788e82fa0d9f68493d4e268c950e9a9450bd38f2521f29a278c8df09008c627a9146f048f09fe7293db4817ff0691d311ebd84dd319da7 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705d1d72402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://8q69g5bk2j47vt6.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6B6E0B13-9733-11EF-ADF2-D6A59BC41F9D} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06eab6b402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000008e93a80b4a3b9d69277f777e53e50374c5b4c0626359958d18f37b749f9f16ef000000000e80000000020000200000004ec5c1121d231eb7a22447076db0fa0a07542791a1cecb1e31a7dea214473d9d200000008ced556bfe19fb5c03d2b7f057325c3526a4726081d09dd12a8483bf6500473c4000000010ac13f971d7237c284a3a284d976202a128e068c7b418300ae87bb47ff45fc117950aa6205f6d6c3a426726c0e300805bcec32e7d66a2765b3ef4e7149f8359 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b94c65402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0235148402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000eed5ebc81741a8c7383c3a4bb0fabd0df883eefbf3d3eefef63270cc68d66ab7000000000e800000000200002000000087bccc64319a3eea56d297f3f195374280e5772c2523be0894a852fe192c059220000000303cbdb2987f940d69a133386ac419159ef0856dccf67f2cfee6c80e10ec0edb4000000093756c9052f3ff33bcf56ef1a5c428417cd235781ee537d51e87f0592a54f83aa38d4da2e671be0c2b4cbba8ec31fe01d6cfbb7d1912efc606201b950c76359f | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000ac2ee100f758f189638aedb6f73e4240fcc99016009ce1f37893114c655b1acd000000000e8000000002000020000000357ccfad998a48cd9c121014b9e59f1e1fe049069c6dd83b9839de10f0340e8d200000008435d583902ec24a37c9a6a3ebd35c40cf0d146ddb5df9a692d945d111e614ab40000000a8bb0e816498987b326d3dee262f4b53b1e588edee4cfe3a7379e8d7fec47ffcd4d96063ac4f0977f699439ed6737120bf83163598b6f636007e499342ffd2ff | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://qd8ge4z1t2o3d08.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://fctsigx8jbazi8b.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1070936923" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3047555e402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a061935e402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 908d6c3c402bdb01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://71r6716le07z4zq.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://711h081oz8s12r6.directorio-w.com" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" | C:\Users\Admin\E696D64614\winlogon.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\E696D64614\winlogon.exe
C:\Users\Admin\E696D64614\winlogon.exe
C:\Users\Admin\E696D64614\winlogon.exe
"C:\Users\Admin\E696D64614\winlogon.exe"
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17418 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17428 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17436 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17450 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17464 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17478 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6y2p57146tg986q83t33ukl626on3m.ipcheker.com | udp |
| US | 8.8.8.8:53 | whos.amung.us | udp |
| US | 172.67.8.141:80 | whos.amung.us | tcp |
| US | 8.8.8.8:53 | 80q14wg613i0dvyp84735236ql14nj.ipgreat.com | udp |
| US | 8.8.8.8:53 | widgets.amung.us | udp |
| US | 104.22.75.171:80 | widgets.amung.us | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.8.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.75.22.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 711h081oz8s12r6.directorio-w.com | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.buscaid.com | udp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | www6.buscaid.com | udp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.79.56.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | btloader.com | udp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | ocsp.starfieldtech.com | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 192.124.249.23:80 | ocsp.starfieldtech.com | tcp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| US | 8.8.8.8:53 | 56.204.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.41.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.195.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.249.124.192.in-addr.arpa | udp |
| GB | 142.250.180.3:80 | o.pki.goog | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6k3da4664217k53052jd32q536041d.ipcheker.com | udp |
| US | 8.8.8.8:53 | 31fs20ah9142yhwv0v74x70dj9j752.ipgreat.com | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 8.8.8.8:53 | 52.195.100.95.in-addr.arpa | udp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 8.8.8.8:53 | q142n1ztju02e7vnpv7nbap4p1878q.ipcheker.com | udp |
| US | 8.8.8.8:53 | 454as5gm5k13q2232724s6w59q9t78.ipgreat.com | udp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 95.100.195.52:443 | img1.wsimg.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | www6.buscaid.com | udp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
| US | 8.8.8.8:53 | p6623509va9fpzn154mqjvj593ltj2.ipcheker.com | udp |
| US | 8.8.8.8:53 | kh0vv0mmrxo9de59cvd6779e4nnl81.ipgreat.com | udp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 15.197.204.56:80 | www6.buscaid.com | tcp |
| US | 8.8.8.8:53 | img1.wsimg.com | udp |
| GB | 172.217.169.36:443 | www.google.com | tcp |
| US | 172.67.41.60:443 | btloader.com | tcp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
| US | 95.100.195.46:443 | img1.wsimg.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 8.8.8.8:53 | g0l3c0drf5i2enc93548qb7is3gei2.ipcheker.com | udp |
| US | 8.8.8.8:53 | t43j87f3b30222r51u2dwz6uapgg98.ipgreat.com | udp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
| US | 45.56.79.23:80 | www.buscaid.com | tcp |
Files
memory/512-0-0x0000000000E50000-0x0000000000E8C000-memory.dmp
memory/3716-1-0x0000000000400000-0x000000000041C000-memory.dmp
memory/3716-5-0x0000000000400000-0x000000000041C000-memory.dmp
memory/512-4-0x0000000000E50000-0x0000000000E8C000-memory.dmp
memory/3716-7-0x0000000000400000-0x000000000041C000-memory.dmp
C:\Users\Admin\E696D64614\winlogon.exe
| MD5 | 8126840a68ac0b59131895236692c577 |
| SHA1 | 9a610c195b9b153d8f31a0cc786f709372bc81d7 |
| SHA256 | d38e4a084a04993bf205a802fb04c83ab1436319c95605595bb274231b19c435 |
| SHA512 | 74cacd4ddd9253f960fac294c36c13e9d7d94f10808622db2acb8cdefd5fe65ef6e603313a8996322f11c935bbebb3c5a58253e5dcb879f95a0c674845a2e4c8 |
memory/1664-17-0x00000000008E0000-0x000000000091C000-memory.dmp
memory/3716-18-0x0000000000400000-0x000000000041C000-memory.dmp
memory/1664-25-0x00000000008E0000-0x000000000091C000-memory.dmp
memory/4008-30-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4008-33-0x0000000000400000-0x0000000000443000-memory.dmp
memory/4008-35-0x0000000000400000-0x0000000000443000-memory.dmp
memory/376-82-0x0000000000400000-0x000000000041C000-memory.dmp
memory/4008-83-0x0000000000400000-0x0000000000443000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\RE6ES7L6.htm
| MD5 | 5883f46c1ef7b7c85314ba911869fab4 |
| SHA1 | 252daf738d9888825742e25ac42ffd69538aa3b3 |
| SHA256 | 2b0b93c69d5d649272ab2f0b3538cc7e2e8a4b784c2c32464d074df2231ea532 |
| SHA512 | b0b628501438534071872d80aed28ef161dd6b6db549fc1497bea1bef668a0375995a6d96ab5e3dc8d3b4e9924ef70fa6f374dbfefd62608f76baf768439c4e5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\FV3ZVD6I.htm
| MD5 | dfeb07871e58cd3537f30da5fad9ca14 |
| SHA1 | fc52042fa6ee618f89631335f61c067893d024aa |
| SHA256 | 8d9ac95b12968978fb7ae85bb9a6d968cdd3f6a22c5cc772fe7fe129fc31f66a |
| SHA512 | 6e006480d85d3358a6f7583310b0de2311b174956ae3c8ab3f3af24095b984418b6b9277e746c5c55a14bc9cf7d41f9822d03767d974301a60029f8e6398faf3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\3O1SU0E7.htm
| MD5 | ad4b8b78660237e90d67998fd3cad18f |
| SHA1 | faae5b2c8b720bd753aac996bba439c1a1f5635d |
| SHA256 | b6303035a2bb5c474b0144297c656c0ae94a124cde3e2e609eb6921747f2ea1e |
| SHA512 | f4ecdccd6b3962c2bed6ca636d1041880f96c9b4f0edf103d737be8e9ce925078715f56687c29110e6f49cc1ff2400248819528f87d2f356ba75e937b1ca9a9c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X3JA8BBM\lander[1].htm
| MD5 | e15c460ec7ba9ac34c90a95a4d8cf472 |
| SHA1 | 7f87fb6d10fa8b1d88972826b2fca27278fbcfa6 |
| SHA256 | e3645f226c6d2b938c261bdd3682a245e248f56e8cf7ef6d8ac30011d7ede8a7 |
| SHA512 | 5b69a590abe2c9289db9d09886fc74478dab94d029438a1e2bbc2019a27e008f776c838fbdc3a9c40b4dff322c8510cb6d4f34ab51cf76a40cedfac14e97f070 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199
| MD5 | e935bc5762068caf3e24a2683b1b8a88 |
| SHA1 | 82b70eb774c0756837fe8d7acbfeec05ecbf5463 |
| SHA256 | a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d |
| SHA512 | bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
| MD5 | 62b5967776594d040fd16952f1615430 |
| SHA1 | 5846eb7c1e1b493b67e10d2615c9a6ae77332b2d |
| SHA256 | 9aaa7e16d985fd7257a03bc3ea3e8ef9c28dad21300ab27bcce323e72f82b19f |
| SHA512 | 3142cd9b32c1d16723ed1937aa79fed61d47357cbc1f47b994761759a021ecde610caf6061c5e0931f1fee7ade6015fac6adca757b7dc4f367851203351e16c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9
| MD5 | e9855b3c6f08d1f2c13a88b4dc7cb955 |
| SHA1 | cc43861c842b195cc022d8ccf9f6984ddd88d4bd |
| SHA256 | 7d8dd79e5630070e5ef07b78bd2e586528b9c2807cbd88471088b35e31f37828 |
| SHA512 | 3a04b7125a7d2a1403677b2c5a3a91cf81101093a004255034637aeb4dac0b96687b454e8ab9dae0e6cf6c0bfea917f3caf6237d84b7f52f8246ac0c290952a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9
| MD5 | 4cd5a4f2ce6b03f42d3a4f4a72c7921e |
| SHA1 | e4146bcc0fb0e38c35d967ac7689689a4cb88437 |
| SHA256 | e6e2ab5e3b577b9cb943a39ce3f38326b5d1856e796566876f90e21d0402082c |
| SHA512 | a8948d3dc2c394d87545d77d33d25579bec4a90730c1e23ba438189eb1af458717df2329caad2c00d82b9e00492ead5220bdbbebcb40f8473f4b72018c58c0fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 3755dc974dc983c89c3eeb17650ddf77 |
| SHA1 | 54142c635c10f3babb9d8b1664be790718e96d0b |
| SHA256 | 592115ed4f1407febb0ced51e613ce66ad32d84143bfaed2c5990ad439a3cc71 |
| SHA512 | 6c2d76c24a005cf92121e2ec96ea1e6cbe93d6c2c48c910cbbea411841433148bfadf47c6ef85d5e7ce8b33f97ccc9131b314c8f9457b7f149ddb9451d02d95c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 9fad70be50a77fadec9765c29e6953d0 |
| SHA1 | 01a3617ba1a54350f0c221c6e44f2b656e07824b |
| SHA256 | 877585c2a2f83c9ad2efdc0807592deace6de7f5d09457a949dbde9fb0510c81 |
| SHA512 | ba87a6bf195840a223b012133eb55c1ce20df75a43bdef8cd475c49def5405b4a9a8d591e7979e8d68c3820aab6886639f2da8ef373f704098f21f5c5d5e62da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | 971c514f84bba0785f80aa1c23edfd79 |
| SHA1 | 732acea710a87530c6b08ecdf32a110d254a54c8 |
| SHA256 | f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895 |
| SHA512 | 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
| MD5 | b36d1273d2c3454777c9e09b1cc86da2 |
| SHA1 | 8734de9278276b494c0616797fd609fb8ab2a71b |
| SHA256 | 80d4abfa28f1f4b07e861d1f7c649531027dbb0b4f4a9e4e0010b6de649491d1 |
| SHA512 | 49118f960ff716a78175f06dc38a15f0531ab217ca5271a54212be990e74a46d2f30f47ce04435eb57d01a0d540fa081bacc834b761cbd4e16f8bdf9f2b518e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | 67e486b2f148a3fca863728242b6273e |
| SHA1 | 452a84c183d7ea5b7c015b597e94af8eef66d44a |
| SHA256 | facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb |
| SHA512 | d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
| MD5 | c58fdf8462cbb57281609e2769df3702 |
| SHA1 | 329b28709369f68c63561584ac51e72d6d0d9a7c |
| SHA256 | 59c8ebd7a1277b2bd20db43fc61fe42ca0f7822c2c7d7ad90fa1023ea4ac6bc1 |
| SHA512 | 4761447858df034e94ea22fcfb5f5ef2b756bfe554a6e93c6c2e055a0e948c13597a3717dcf5eb44a7c761015289787f722f8929af916b5abbf0b325b51428c1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
| MD5 | b44b786694bfd96d3c090058dff2efd9 |
| SHA1 | d1d8701831fd00e083b82703c42e7f3d5c9b53a9 |
| SHA256 | 677c2e00b2bd2a8bbc4721cc7ca4ff0d5ce334fb3f8757396c7df51bd61ba989 |
| SHA512 | ad9a05daa2d007c42206ba13277e85f275f151ae9f7f1e4b1844e743a157c91cfc66bf2dc2068cb8279c5c29604a6cab7e961de7e45cf273f9211cf5d0ac171b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
| MD5 | 0f208b16d7ca50ce483b6f6b171d9e0d |
| SHA1 | 661600699281220ac0f97f34ccb0a6063403355e |
| SHA256 | dfb05b61cc83ca973e8321744dc4084a64387894b49483807e31343daa881465 |
| SHA512 | 72d549083e9e4520b39e23364bdf21f074bace802fea3267f98f6537454a7c41925710b789dc4d2b9b82028c64dc7e82f4e2ead7805733bd28e0d740a38cd690 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
| MD5 | 80268f845552c33d0181594b4e3d54fe |
| SHA1 | 3e9d423c97885b47b4df7acb05caa1e00ba6b500 |
| SHA256 | 9267cdfc6231c41c89ce2a35db2379fa23571513736da393b33ca8a0b45e147f |
| SHA512 | af0e9e4bfc842f590cf85d691134d7f33b74c2c96896784e452929e5ec60d5e556b1324890b4fcc7702fb27dcd1537414962491bb48b94d4856018155d26343a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
| MD5 | ec48c020024ca393990eaad1c4166bd2 |
| SHA1 | 5645e6a65c6ee1cd0491f7bc417d22d30af7ff4c |
| SHA256 | 36c5f4a91e0125bd55d53e618441b88118d2b043ed2c162e0406b2b257e829fe |
| SHA512 | 6102a4c3a19bf097e918925c09088734aa1cce998803d7063f6900b94ecc161560d3d5bb3201a28cab8a944040d59f18df4bd4704e148bc98fcd2c7b73a4d9c6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\main.ef90a627[1].css
| MD5 | 3f821ada778691e677aef2cea8c4b4f6 |
| SHA1 | 643e7b729b25c2f800469623191dc837798e9d50 |
| SHA256 | 7510035d553a99fbf93eb67737b2df057ce096fa1ed7aad83cfd559e11f2320d |
| SHA512 | 8993a8ad28ed4035a022d1b7274c77a97b8235b2ddcd5e6d29f7230d375851539900d4ace652c94c4be8a8284ffd86501df420385a6e680df4222c162deff4d5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X3JA8BBM\tag[1].js
| MD5 | 78cb756aa06b07c207880f7b4fbb721a |
| SHA1 | 6f96c8d80d2281afe016f345bdc448255740622e |
| SHA256 | cb666c470a82988da4f29bef5b1f8f3e1d4119fafc9e78538cc0e74f17c8c338 |
| SHA512 | a3fa57a8bc184f2561164395b9015305bfc6b4c1eeffae5a630395a21f730bf8a0640b4bc5d948d6f0bc78e3f6c829517ef011f1f78db0578272d8a1bb1aaa21 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\main.a345b721[1].js
| MD5 | a45598e4c3ad88168b72ba9e56f9db3e |
| SHA1 | 23ca76f52fafd8bbfee3426cc2202975a43d7450 |
| SHA256 | 9cde14ce75189208d1475f90c0cd75c31413d95f1c521ed0be883d3a5979647d |
| SHA512 | b719742992b9e1bd9a0f6a7b98eebe32718bdf1d4fc47ba3e1c0d5c2991d0019013cc5a6c1ade7416077e8136b6c24869cca87067b67e9bda6610743f6790241 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFB9F.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\VJ5CI4XT.htm
| MD5 | 167367582e5b71bc9838ec147ee53afd |
| SHA1 | b3a2c653bf961f4ef6f2801d746e18868e3e32d9 |
| SHA256 | b4faf4ce8d8df166748e9a1502ba5ecfa278b5c33643df4ad80bee0a86537b44 |
| SHA512 | 233b9558c352199c3a11cf0db4516433f208d6e5f9735fc72dde3d86c07f89becee5fb6642d575da1127ccca3b2a50db94d272453f7e5cb0a84c0181dabcb0d4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\caf[1].js
| MD5 | e69ac32ab1e181b296b5d71cfa1ef63a |
| SHA1 | ad1d570d7a5fb3ffc42ecefe1cea13a9fac205c4 |
| SHA256 | 8d0dd55974c027b602fa403e5372a69dfc99c122fe9e1983f3bb1bb3dc28dac7 |
| SHA512 | 70a990c4f0e5af5074304b2f625130e2741d8c532a05c603adc853d184da203eb51859e66e998539e57f3cfb4e6fad6ba8196c81ceba03b6c1ae7e85afa1b243 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\LO9XKXWP.htm
| MD5 | dac5e4781d66af73cf333643010fdbbd |
| SHA1 | 51326f40da0b960418a4c5a60b7f99e000456501 |
| SHA256 | 5b5a2a9a061243480e44a57bee3cf76424c44164be9cec85a5acc95d0617a918 |
| SHA512 | aab7e20160356d44773a2a3ae8e38225673644e15d88298e646e513c59d6ef6bc3cc9c31b75081fa31fe22ad06c0fd087bd360ba4a77c51ce916ae6108c7210d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X3JA8BBM\IXXG0Y4G.htm
| MD5 | 0ac17d2e3df26372118deffb67060b69 |
| SHA1 | 78e5ac5568354defca592b0b1595dd7307c2c09e |
| SHA256 | b7c9b65a8ed945d6f5e53950cd8533e8cbaf2b9c7f7cfdda75e81d4be1a5d7db |
| SHA512 | c0a71e6d3fab1e6699f4f4ad3115377ae1270509edb6e224a816391543fa0abc2d4c5d41271ec3d65e602c5b2092c9cb9b7db230d9c9748ceebdab11504e32c2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\BWHVJW8U.htm
| MD5 | 27e22f75474988f9030be7ea53980ae2 |
| SHA1 | a7268304ab1085069064f171fb8911e3a47fc639 |
| SHA256 | 6fcaf9f36decca166c5ae5550c345c3fb03de49271d692eb18e324261fd7bcb0 |
| SHA512 | 041cf79a5d682e6aa3e2922f161b6ae9902e0fb0f74fa0cf109ee18f6c22e2f0799383210de16d31e5d67ca9c10d4ca445306a2c7a3dde35e579e4fd4ea29d50 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\caf[1].js
| MD5 | 3ead10870e1afbc3f82ce87dc30e59de |
| SHA1 | 054444246b731a9b64c730871407d7302bf5ac2b |
| SHA256 | b5e45b2484a4791b1829946da8a71a8429cf12ac14cfb1eb9ca011a201f4ca7f |
| SHA512 | 9fa45c0ecc3683c97a394e2636ee1c687e4d1917470714aaf1381cf012109a38edf637f2da88c62da62b8f0a28df8c9d23f533f9df9bd1b8a78d895f6c7a50b5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\EU911VXT.htm
| MD5 | 4d23344b780b1cb09c2f9c92f03d7a0b |
| SHA1 | d63c9cb09395b7c91f1d1f4fb3595733eda5f865 |
| SHA256 | 470d40498a016be7d519f396375a0c13fd507b2b179877f0e0de47f4c3933e67 |
| SHA512 | a19180ce7f03cfaedc7959233e1ebe801d245832b75e18c806b0addd16f96efdfca6e7f867ad07998aac01d5885a133db57aa53b546a474ab27f964c34bf1a41 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
| MD5 | 9cb89abcf07bb31fb38c895f6b00741a |
| SHA1 | b332ab7b5ffef559b3521b14f8e01a464908c78d |
| SHA256 | 116c85f8ddc3c53cc648ea219ddc20a77c1605a489636267d87316473177f707 |
| SHA512 | a658bc409d306fea713e22e2f79dc62788acb91e7e59a136b1ee6a8dd66d4c0ecb0acf392f49f1d7468f841447fe3a001d5614c418ed54a4a204e7f9f987b6d7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms
| MD5 | ae72ca27b9634411ebb23777cc46a472 |
| SHA1 | ea027016fd632f9b6ba1c39de3bdd15c2ef9baab |
| SHA256 | 2eac5e0ad59cb5f6fcf1d664a06496869211d95e965a6199af32fa76363a40b9 |
| SHA512 | 1dbf8e1ef12ddf8e09b6d2313a8f1960cea7b637988f2e18e0d2097bff929834ee37454dc6e699023f8aa13f071fc9e5591fca9be53e4edf7973527f5636465c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\CMVH21U7.htm
| MD5 | c010ba06745cd1bbc23dab6ea06db16f |
| SHA1 | af21b04cc7473de95a481fbed84a420bd6a8c264 |
| SHA256 | 9e60e8576b53153dfdfdaef3063543e1c0733d51890770a2d75282688318e70a |
| SHA512 | d73366e5e71c0755046a6d11f58798160a6ec6a9454b8db58dedfba2f28eb87a5637ea15425277a0cf9407dcc1bd07f2db1523f0ca9eeb27dffd3d1af6e3c60b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X3JA8BBM\UQX2PHWE.htm
| MD5 | b451b6d35d24a000dc1e3953f1249609 |
| SHA1 | 1f87f2e807e23c3641c564f58f13c2b7d3159f0f |
| SHA256 | c624cb8f6dacbf0dec360f6ac2149eba115eb5f580fdf007fb5232652e70da84 |
| SHA512 | 3b4628728ba6727330cca27bea804ba4f18c20eb5078b5312b857dada8dcb039f02e6095530e7031d5698286ce1f1e51284a03e4c784c9eb4685b0c11fb47db8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\88Y5G17L.htm
| MD5 | 5bf8a14e0828b528b942bda627ef5df4 |
| SHA1 | 6109969fccf61e9a73d7ade791883a161c3ccc80 |
| SHA256 | 3b3991b64114d9fa87734ee504936fef044fe274cf9fd52ae3522f6bde9e319d |
| SHA512 | 414e7f78b9ab5d9ed1fb02d049607d58fc5cf95ed3d24710817685d37a0c163f4e7ee58d29fd6e6050b1ef50e42578902e2e3b2ee7f5973fed8309c55f33d8c0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\caf[1].js
| MD5 | 340d8a59db8189247ee271411338df7a |
| SHA1 | 9b423de05ff2d15c88107d40146d0dd1b03431c3 |
| SHA256 | 25ac5bfe94dbad6a8d33bd8b3844a471bc171202fa67f6778e263a5a3bad534d |
| SHA512 | e74586f5d07a97997cc6a053f4cd5f1608c7db31375a4116c41227fe7373df11c842fdea268ff30ced05e0e864b6080404e5c064de9a8e794c1188e0610b7e0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\ErrorPageTemplate[1]
| MD5 | f4fe1cb77e758e1ba56b8a8ec20417c5 |
| SHA1 | f4eda06901edb98633a686b11d02f4925f827bf0 |
| SHA256 | 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f |
| SHA512 | 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\errorPageStrings[1]
| MD5 | d65ec06f21c379c87040b83cc1abac6b |
| SHA1 | 208d0a0bb775661758394be7e4afb18357e46c8b |
| SHA256 | a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f |
| SHA512 | 8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\http_404_webOC[1]
| MD5 | 92ab50175c4b03970f264c637c78febe |
| SHA1 | b00fbe1169da972ba4a4a84871af9eca7479000a |
| SHA256 | 3926c545ae82fc264c98d6c229a8a0999e2b59ed2bb736f1bda9e2f89e0eeac8 |
| SHA512 | 3311f118963ad1eaf1b9c7fb10b67280aae1ab38358aed77c10f2587100427af58c7d008abb46ad0f59880ac51e50b5a53fc2c2a96d70f5ece4578ab72382b7a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X3JA8BBM\httpErrorPagesScripts[1]
| MD5 | 9234071287e637f85d721463c488704c |
| SHA1 | cca09b1e0fba38ba29d3972ed8dcecefdef8c152 |
| SHA256 | 65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649 |
| SHA512 | 87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384 |