Malware Analysis Report

2025-08-06 02:47

Sample ID 241031-cmvsvsxcna
Target 8126840a68ac0b59131895236692c577_JaffaCakes118
SHA256 d38e4a084a04993bf205a802fb04c83ab1436319c95605595bb274231b19c435
Tags
upx defense_evasion discovery evasion persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d38e4a084a04993bf205a802fb04c83ab1436319c95605595bb274231b19c435

Threat Level: Known bad

The file 8126840a68ac0b59131895236692c577_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery evasion persistence spyware stealer trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies visiblity of hidden/system files in Explorer

Modifies firewall policy service

Windows security bypass

Modifies security service

Drops file in Drivers directory

Event Triggered Execution: Image File Execution Options Injection

Disables taskbar notifications via registry modification

Disables Task Manager via registry modification

Disables RegEdit via registry modification

Windows security modification

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Checks computer location settings

Indicator Removal: Clear Persistence

Checks whether UAC is enabled

Adds Run key to start application

UPX packed file

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies Internet Explorer start page

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

System policy modification

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 02:12

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 02:12

Reported

2024-10-31 02:46

Platform

win7-20240708-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" C:\Users\Admin\E696D64614\winlogon.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Users\Admin\E696D64614\winlogon.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" C:\Users\Admin\E696D64614\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\E696D64614\winlogon.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcontrol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drvins32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwatson.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccntmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnlan300.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedapp.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp95.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscn95.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nd98spst.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccpxysvc.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icloadnt.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebloader.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwcl9.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2k_76_1436.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vvstat.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UI0Detect.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbust.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ogrc.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectx.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdclt.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanh95.exe C:\Users\Admin\E696D64614\winlogon.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe C:\Users\Admin\E696D64614\winlogon.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" C:\Users\Admin\E696D64614\winlogon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNFNOT32.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOSYNC.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANOST.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPST.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SELFCERT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WXP.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXTEXPORT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTEM.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSE.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IELOWUTIL.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DW20.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCELCNV.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSQRY32.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETLANG.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DWTRIG20.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPREVIEW.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEUNATT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSHTA.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OIS.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACCICONS.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSFEEDSSYNC.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORDB.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLVIEW.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WORDCONV .EXE C:\Users\Admin\E696D64614\winlogon.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\E696D64614\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\E696D64614\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\E696D64614\winlogon.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Sound C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Sound\Beep = "no" C:\Users\Admin\E696D64614\winlogon.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://o7miyo13eslsq1s.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Download C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://9v5xutgqnyz0lh4.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436504530" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://9p0gazss7t8elao.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://615wr7318h4uc11.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://2j35w93w0b8419h.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://1579f0m1wc9e333.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000095e656d4331da74999cd4cfd61f705750000000002000000000010660000000100002000000015cec8f943fbe8b392844f954430f0152d3b867cd2c9f9e70cb19525fa47864c000000000e8000000002000020000000c9fd9e4436570167eaa76b48a5eb8a60350d9940ca11e0e856012d77328274b090000000b86b567b9a2e269f2ab5fe09a535cfed2e56550c0eab296ee09fa469950131bde9a7f3520e5c58bac2a02f80679530f3c96dfaa3c2316323f5c2586853edb6fb1ac67698378d54d1fae3f118ffa264c975b74c6c6dbcd9c10e2edf8c66afd77a943eb5d35469afc2e5b1836e1f5395f0673c808f0d783dc85cfb8e2c435c986e9db2e3255ce2960d9dc2e540cad2d85340000000b7bc46a8931dd9e9581e4d6802784c8f4c8d1bea4113b10c83df2d7d90e83af05ba3ffff5f117a48cf332dc3fcdd5cd40b1b5c1f0c801ba78e2760d623ba7a8a C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{094105F1-9732-11EF-B4E2-F64010A3169C} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e584cc3e2bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://321nh6u1sp2uf5n.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000095e656d4331da74999cd4cfd61f7057500000000020000000000106600000001000020000000e7ff2fd2f7fead5001a7eb7a8e20fcd885e1bab5dc0d0b75681ce5a7435fa08b000000000e800000000200002000000062a0fde4347208f12350b69b951ede93b26919640103c1262e0b93f36d3f46c02000000050e9c69dadfa048d64dace47dd2ddf13c068d1a56796a008564cd6c7b0a05efd40000000d4bce429c18058e2ab0a09678fabe5485c81bc4b7385a3b921f5fff8136fe256d54d6b42c136cb473169b700d354a4a846198554322ea8e98a63963ce18128bb C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://m753b67257x7iz5.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://1v8y6140umdx5x2.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://1vk345wxzr1s7gh.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open C:\Users\Admin\E696D64614\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\E696D64614\winlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2860 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2860 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2860 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 2860 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 2860 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 2860 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 2860 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 2860 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 2860 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 2860 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 2860 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 2860 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 1764 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1764 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1764 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1764 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2804 wrote to memory of 2576 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Windows\SysWOW64\svchost.exe
PID 2804 wrote to memory of 2576 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Windows\SysWOW64\svchost.exe
PID 2804 wrote to memory of 2576 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Windows\SysWOW64\svchost.exe
PID 2804 wrote to memory of 2576 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Windows\SysWOW64\svchost.exe
PID 2804 wrote to memory of 2508 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2804 wrote to memory of 2508 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2804 wrote to memory of 2508 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2804 wrote to memory of 2508 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2804 wrote to memory of 2508 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2804 wrote to memory of 2508 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2804 wrote to memory of 2508 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2804 wrote to memory of 2508 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2804 wrote to memory of 2508 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2596 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2904 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2904 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2904 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2904 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2904 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2904 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2904 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2904 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2508 wrote to memory of 2904 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 2028 wrote to memory of 2176 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 2176 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 2176 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 2176 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 1232 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 1232 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 1232 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 1232 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2028 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe

C:\Users\Admin\E696D64614\winlogon.exe

"C:\Users\Admin\E696D64614\winlogon.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\E696D64614\winlogon.exe

C:\Users\Admin\E696D64614\winlogon.exe

"C:\Users\Admin\E696D64614\winlogon.exe"

C:\Users\Admin\E696D64614\winlogon.exe

"C:\Users\Admin\E696D64614\winlogon.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:930833 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:2044943 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:2044955 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:930863 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:1979424 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:2831383 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 61a42funvm129u2pr9dj93536bctj1.ipcheker.com udp
US 8.8.8.8:53 g74514z1744r85p2sa62oys4p55gt2.ipgreat.com udp
US 8.8.8.8:53 8ga560w93bjcho096p48mw1tpo2932.ipcheker.com udp
US 8.8.8.8:53 whos.amung.us udp
US 8.8.8.8:53 sgvvz2030668n977s3v69jvl51640u.ipgreat.com udp
US 172.67.8.141:80 whos.amung.us tcp
US 8.8.8.8:53 widgets.amung.us udp
US 172.67.8.141:80 widgets.amung.us tcp
US 8.8.8.8:53 1v8y6140umdx5x2.directorio-w.com udp
US 8.8.8.8:53 www.buscaid.com udp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 8.8.8.8:53 www6.buscaid.com udp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 img1.wsimg.com udp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 104.22.75.216:443 btloader.com tcp
US 104.22.75.216:443 btloader.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.180.3:80 o.pki.goog tcp
GB 142.250.180.3:80 o.pki.goog tcp
US 8.8.8.8:53 ocsp.starfieldtech.com udp
US 192.124.249.41:80 ocsp.starfieldtech.com tcp
GB 142.250.180.3:80 o.pki.goog tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 104.22.75.216:443 btloader.com tcp
US 104.22.75.216:443 btloader.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 104.22.75.216:443 btloader.com tcp
US 104.22.75.216:443 btloader.com tcp
US 8.8.8.8:53 img1.wsimg.com udp
US 95.100.195.52:443 img1.wsimg.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 8.8.8.8:53 l3tarsj412lj56s6rw2tkc2xeg2eaq.ipcheker.com udp
US 8.8.8.8:53 fjrvn8zs1dak3j4jrvz42i02t537wr.ipgreat.com udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.73:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 104.22.75.216:443 btloader.com tcp
US 104.22.75.216:443 btloader.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 104.22.75.216:443 btloader.com tcp
US 104.22.75.216:443 btloader.com tcp
US 8.8.8.8:53 img1.wsimg.com udp
US 95.100.195.52:443 img1.wsimg.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 8.8.8.8:53 kalj7ur2m3ltr8l3l2zw9wy18i6294.ipcheker.com udp
US 8.8.8.8:53 06u6tx6q359gug1az476qx0g118tlp.ipgreat.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 8.8.8.8:53 www6.buscaid.com udp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 8.8.8.8:53 img1.wsimg.com udp
GB 172.217.169.36:443 www.google.com tcp
US 104.22.75.216:443 btloader.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 8.8.8.8:53 0xgw7ct13yq3ap0566l773g20k0s6r.ipcheker.com udp
US 8.8.8.8:53 vqi46loix896f413gxjp7fh4137hcc.ipgreat.com udp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 104.22.75.216:443 btloader.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 173.255.194.134:80 www.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 104.22.75.216:443 btloader.com tcp
US 8.8.8.8:53 img1.wsimg.com udp
GB 172.217.169.36:443 www.google.com tcp
US 95.100.195.46:443 img1.wsimg.com tcp
US 95.100.195.46:443 img1.wsimg.com tcp

Files

memory/2860-0-0x0000000000840000-0x000000000087C000-memory.dmp

memory/1764-7-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1764-6-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2860-5-0x0000000000840000-0x000000000087C000-memory.dmp

memory/1764-4-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1764-1-0x0000000000400000-0x000000000041C000-memory.dmp

\Users\Admin\E696D64614\winlogon.exe

MD5 8126840a68ac0b59131895236692c577
SHA1 9a610c195b9b153d8f31a0cc786f709372bc81d7
SHA256 d38e4a084a04993bf205a802fb04c83ab1436319c95605595bb274231b19c435
SHA512 74cacd4ddd9253f960fac294c36c13e9d7d94f10808622db2acb8cdefd5fe65ef6e603313a8996322f11c935bbebb3c5a58253e5dcb879f95a0c674845a2e4c8

memory/1764-13-0x0000000000510000-0x000000000054C000-memory.dmp

memory/1764-19-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2804-26-0x0000000000D10000-0x0000000000D4C000-memory.dmp

memory/2508-30-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2508-36-0x0000000000130000-0x000000000016C000-memory.dmp

memory/2508-37-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2508-38-0x0000000000130000-0x000000000016C000-memory.dmp

memory/2904-39-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2904-46-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2904-43-0x0000000000400000-0x0000000000443000-memory.dmp

memory/2904-42-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab650C.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar65BA.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bac6b94b3a240774bf5680a3a3d7b14e
SHA1 82512190ca16b27dc03c8dd15f8c05c6b953c62c
SHA256 317af094b3f43c9250e6521e43fb837f4afe43ec6ba3489a2685a78e5085b351
SHA512 a38b97e5fe3b3685a1a613e4f0efc4b370f101539c330edfb095ef79f7a863145fbc1b8667539f6d9bf126fbe84f6342e87d5a277a452df8a20cc744ef3039d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bdbdcbb4a5d5aa6d7a11c90fcddaa26
SHA1 ee55fe4cf057d012a057f06c18f09964eab43d51
SHA256 35d3ffd346dbc8584ea7cb406c25aa60a974f45e5c87451a6b0669674f216b98
SHA512 77cc059fc36d76e2af00d96df480dd9d49aa3fac5f73d505344de704d9c1faedf2d3abf84f68d3b01394cb2e3b7a0ae5fe8bf652fad7e1d4a423676b902a3b77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 288f9b7b3145f964f26fd154a81eb56a
SHA1 dbe7bdcd7d42c9c63f2c3ea9bc06cc2d1b957ac3
SHA256 b477aab4d7926e68f40766aa374765f1d98c80895b697a4d009a9118ddec220c
SHA512 b9202f95a30b1d9f5aa1b736f0c3feb6f626333ff05d7198fb73f6e53fa47eace39a8563d20a372fa921bfa401ed62c28a234f7362d6e8ee4d3aef8e7454f41a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58f842c2f0f2683e8309fba939f59eb0
SHA1 d5cac90f20b1e75374019e77b7179a1354168e7a
SHA256 aa9b340573b9328218ada11b4c0f0791dbf6e21025927506a7396057641dcfe9
SHA512 053cc7d49b253391a33573214704b65bc106723e0c4bbb3d625d7bf267f4b13f9aa26e41e2f6a9956460a1f19cd14f2b5c8b00794e77a250b69224cd2c196969

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 40d683e99dc55c55609f717b760776ca
SHA1 9e9c331e06215a7083ac1630dd7df085c7459c8c
SHA256 0ae6bf26f19dced6ca09e7925dc7752e82d71bb4a7fff43b2199fc38e0ab06f4
SHA512 609ddf5266a926a53f52323a9144db580a98be435196b73987171950b756cf10ff37b0cfb861a2f37515c46634781d39713658f80557f5a549695a20424833e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a01b2855e672db2e7499602750e9045d
SHA1 c2ce4274810ba8519255ac32629510eaa01dc5f5
SHA256 3a15b00afa5cd32ed489017d496c459e8fad6f866193dc782cafe435713ec7de
SHA512 0b9b0c36b892ffd45a9dcc8150ea3b68d1132c053134a76ba7de355809efcdb6a219c7ceaec808b5e52c2a8dde3ceb28c207142d00e4cf2921f7b0a9ff74b226

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5d54836e12fd5f528e980a8b1d0bcea
SHA1 a9f17686f324bdf0069a1ca2e896d83d9b7935e3
SHA256 a87167de96636a1bba99025d8688d83ec37fa362cf7f0a356e423a2a11ee5733
SHA512 2b25cb82a50c94f500a602c3806abc429aa0207f6e46b98b928d3d5e1493bd43227cccfb3d4a7ae4efbdcb05ba23dc8db11c47d60fd4e28745c2408ed054b8ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d481f56f510da9b1b272b3e966c17055
SHA1 4dcbe0c84ad5d8be0db744292d3c11b439c621c9
SHA256 5942985b5197b76cb5c6af1a414e27c3dfcf010ee39579d5911f7846c1eedb30
SHA512 2cc9c0054c47adf661f33cf892da4327804baf51e3f05d9738f0fbf55aa003f0de3388813abac5c5688b0da82669a3ddd7d2d12abeacc838fcfd6933bac42560

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9fd7796e3c14d52f3b38a20ac85753dc
SHA1 8f86437a63a80365439a4febe26dc37acd3d2ae2
SHA256 32d54facdc4ba539dfe3f034e83bb2b5eb41485ab7c6130150dbdbd667d01643
SHA512 27f65a2df510d6e9623cd9438fb75e8d28804539d076eae17d34bbf0971c1d8cbb12eeb79a4b300130b9ebcf23f922ca77d6ff79d027f5c1ee0bd55aeee97006

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e0d9d5b6d71cfab08705ac72483f4aa
SHA1 7ebf84cbbfc4ff8632eed732b6e57d00ddf88466
SHA256 b4a04348b85b0bf6239b6dd82587e0017adefd31e41421d08b0d3985e57f28b3
SHA512 64b36e5ceb09fc9757ce9347c1759e97aaf555bbc85ce276a538b29eaa2d345c070bc154c906b62c6f3c3789f6ad5c52b92d9812d43837a93667589af6489fcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb0b2b9cebe89d1e51cd66bd4f9f9afc
SHA1 cd7ad47b89594bf8d5e53f9b34995aa1aa961643
SHA256 efcaaf8e11bc7256ffce17d7e63303f3c65ec4c9beed991c1e066e37d00f3bfe
SHA512 d0d0555c1e625e1a8379040f20604ed18911c5a483b5f8cfd350e4ae719fd75a9f1630ea5fb7ad93cecfcf85a37b5de1109f56e13ad9f57e4e660527b782cc80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d061c2257bf89415a385e3ec300906bc
SHA1 d8de7d70ebbcdba607ff9129299f79ee3d4aa087
SHA256 861859f214317693faef09ee10ca63a0a128ed87b261e2fd9aab58189ec95829
SHA512 550611beee76677871233917c707ab438d29798e3bb6913e25ffc74c5e6df0ac2c89c0698fc74d9b20a90123677d5a4212ef7ce62f7a33a1c2eb6fc19735289c

memory/2904-593-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 ba64c8927a3d2f0573b0db6487add89f
SHA1 646c1faafcb25e01206980f352b3530e189ba9ed
SHA256 746f39bc75624c154bba8cd7419eb2e00f9fe5420a04d2eb8b5b2fdee35ad830
SHA512 4aab49f54747069d3c2cf9d134f388a559f8b93b4ce1f3d5d860fde94eaf01383f24cf29a547453cbcc51be5183c4f791d7f36f003982d7a6656c1c5e175c194

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 dac86f6676b6f14b52578dbd4394d0fd
SHA1 053a5195d8b611abdcebf74d9a7b46b8d70097d4
SHA256 8097408238997c4dffd6e6185e2ad8e0bfb863a4262ea7f9fb2719462a6712e1
SHA512 3a22ef0437a62daebcc99d4461afad79f99d88f057fa5a9aa68e930ee03b38f373bcf20dd3381792f86a41b0ad3760e2ef09b8f8b14264fdc58287ff858a0bad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9

MD5 e9855b3c6f08d1f2c13a88b4dc7cb955
SHA1 cc43861c842b195cc022d8ccf9f6984ddd88d4bd
SHA256 7d8dd79e5630070e5ef07b78bd2e586528b9c2807cbd88471088b35e31f37828
SHA512 3a04b7125a7d2a1403677b2c5a3a91cf81101093a004255034637aeb4dac0b96687b454e8ab9dae0e6cf6c0bfea917f3caf6237d84b7f52f8246ac0c290952a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9

MD5 bf78158fae379f98f9bdaac5d8ac400f
SHA1 9ccc1cd62704b62619b3c316de2f83f9cb089782
SHA256 01ed110e8b0dddc7bd85e3bcfff46e4fc90eaf6977da2f281045befa691d2823
SHA512 186cd241f95fa5d99b036c94286ac5e60487fa31433149196d38891a77b592fe7bd8318aa46040e21460c7e38ade68cd137a73600be46ac2abf5d80276eff238

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

MD5 e935bc5762068caf3e24a2683b1b8a88
SHA1 82b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256 a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512 bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

MD5 ae2383c77f84432d7be920b06b0defd4
SHA1 e6586a1bc19d4535b0174e2396c01ab916dd9014
SHA256 30f9333261f40999bdc967f9a4702bacc11060203f42e12f1c863b804fa62c5e
SHA512 3fd2eb7dd0fbd8795fd3e28da214536629f9c5f7afbdf4488c5a7119c4d2884e58eaca1549f7caa90ce048488b50b6ba564770cbddac06315b3c40d8794c0bec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7a542507e069d28b5332fec3b44bc0b
SHA1 982120c37be28d4a01f3310b2e9d96179e74d7d1
SHA256 f0a618ecd050609d32d8c57121c2fba4bcee869f0b7c8a4149e7f6ed05ce75e8
SHA512 d07bf83c7e5e2abe8bd44775d8dc7a04a21d117858648a3a362fe2f577d9e2bc2168527a0d08f2816d069b850dc9935e9e3201acf81325e1d132f47af470d5eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

MD5 b44b786694bfd96d3c090058dff2efd9
SHA1 d1d8701831fd00e083b82703c42e7f3d5c9b53a9
SHA256 677c2e00b2bd2a8bbc4721cc7ca4ff0d5ce334fb3f8757396c7df51bd61ba989
SHA512 ad9a05daa2d007c42206ba13277e85f275f151ae9f7f1e4b1844e743a157c91cfc66bf2dc2068cb8279c5c29604a6cab7e961de7e45cf273f9211cf5d0ac171b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0a42d9bf6ec655e462720744c003728
SHA1 e76b9937f1fe416fd77aaecc2d50d05fca1a2d06
SHA256 650594376e14828c3bf8934099102625e40ba42b2c90da87fcbd77bfb754c872
SHA512 7204e8cc9e4c425542f651871a6e79ad12fc5ff9079de5e5ab3036bef2bf241576ace629ff9c1e1dfd67f2a318a32ded4823d918c8620cd685d3931002a39168

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

MD5 7baab2145b2248bfb00cb989f6857d57
SHA1 532c61e53b41adc0161db7f36c6495a769d55bf0
SHA256 fc14bba6fda5e38034402c001a8cd65f242dcc1f883cc8df637c00b5ad9c2dd8
SHA512 e9f580201e5d9aa8577aeedc7d7df663d22eb3a8d39307ea640a62d7f28a5d67aa7f78834d9784e4ddb6a9b018babf2b6a3d1ece635d8345e1cdff757ce7e7ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

MD5 ec48c020024ca393990eaad1c4166bd2
SHA1 5645e6a65c6ee1cd0491f7bc417d22d30af7ff4c
SHA256 36c5f4a91e0125bd55d53e618441b88118d2b043ed2c162e0406b2b257e829fe
SHA512 6102a4c3a19bf097e918925c09088734aa1cce998803d7063f6900b94ecc161560d3d5bb3201a28cab8a944040d59f18df4bd4704e148bc98fcd2c7b73a4d9c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

MD5 f7c322d89b848908953d539db567099f
SHA1 a08d200d4705c70bb4b05b0d245d0471728bd097
SHA256 3a0fba92ce8dff4b9fca701da6d3ae5bd47249756d5f1bb3c63a2eb8dff3a951
SHA512 cf194f6be7528f5b5c751e37aec7efd6fcd16ecb187f34d2bcaa89489ea06ecffbc4e2b5698abd6572c9691af342e4a2cc20150927b4769ef4fe0c89cc8bbc59

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HHT5LGG0\main.ef90a627[1].css

MD5 3f821ada778691e677aef2cea8c4b4f6
SHA1 643e7b729b25c2f800469623191dc837798e9d50
SHA256 7510035d553a99fbf93eb67737b2df057ce096fa1ed7aad83cfd559e11f2320d
SHA512 8993a8ad28ed4035a022d1b7274c77a97b8235b2ddcd5e6d29f7230d375851539900d4ace652c94c4be8a8284ffd86501df420385a6e680df4222c162deff4d5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\tag[1].js

MD5 78cb756aa06b07c207880f7b4fbb721a
SHA1 6f96c8d80d2281afe016f345bdc448255740622e
SHA256 cb666c470a82988da4f29bef5b1f8f3e1d4119fafc9e78538cc0e74f17c8c338
SHA512 a3fa57a8bc184f2561164395b9015305bfc6b4c1eeffae5a630395a21f730bf8a0640b4bc5d948d6f0bc78e3f6c829517ef011f1f78db0578272d8a1bb1aaa21

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\main.a345b721[1].js

MD5 a45598e4c3ad88168b72ba9e56f9db3e
SHA1 23ca76f52fafd8bbfee3426cc2202975a43d7450
SHA256 9cde14ce75189208d1475f90c0cd75c31413d95f1c521ed0be883d3a5979647d
SHA512 b719742992b9e1bd9a0f6a7b98eebe32718bdf1d4fc47ba3e1c0d5c2991d0019013cc5a6c1ade7416077e8136b6c24869cca87067b67e9bda6610743f6790241

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 795fdf71a1c15172511a1caefc1acc00
SHA1 c1175338460612d258ff9763ee62eef58141dc93
SHA256 d6642f5689531d601e3d2d657adad8ab66ba674d05f36c1aed89848ca62192a4
SHA512 4657a9741bb84c523f09a5bbb0d0c3a1acecb8904e45e994c544d7f656c9d3ba6c4431a05b1ce1a6aa616f32c503c75853fcc1204461b3fd4e62164b3f4b2c57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3755dc974dc983c89c3eeb17650ddf77
SHA1 54142c635c10f3babb9d8b1664be790718e96d0b
SHA256 592115ed4f1407febb0ced51e613ce66ad32d84143bfaed2c5990ad439a3cc71
SHA512 6c2d76c24a005cf92121e2ec96ea1e6cbe93d6c2c48c910cbbea411841433148bfadf47c6ef85d5e7ce8b33f97ccc9131b314c8f9457b7f149ddb9451d02d95c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\lander[1].htm

MD5 e15c460ec7ba9ac34c90a95a4d8cf472
SHA1 7f87fb6d10fa8b1d88972826b2fca27278fbcfa6
SHA256 e3645f226c6d2b938c261bdd3682a245e248f56e8cf7ef6d8ac30011d7ede8a7
SHA512 5b69a590abe2c9289db9d09886fc74478dab94d029438a1e2bbc2019a27e008f776c838fbdc3a9c40b4dff322c8510cb6d4f34ab51cf76a40cedfac14e97f070

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\K24RBSJD.htm

MD5 dfeb07871e58cd3537f30da5fad9ca14
SHA1 fc52042fa6ee618f89631335f61c067893d024aa
SHA256 8d9ac95b12968978fb7ae85bb9a6d968cdd3f6a22c5cc772fe7fe129fc31f66a
SHA512 6e006480d85d3358a6f7583310b0de2311b174956ae3c8ab3f3af24095b984418b6b9277e746c5c55a14bc9cf7d41f9822d03767d974301a60029f8e6398faf3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 6ec969909b8621412aa4bd1cfeac7425
SHA1 4649c4f3206c076966bf0afe9c1a9791f9db766f
SHA256 457217b40524e3d387e63cfb37dd7eda17a19b425af8d5d83b3a8f18fdf1766e
SHA512 e67fd1ef72bc6c2a2bb56311a5d3a8f56f07c85a6caa98b1bb766a411fe8fc6c367764c62c90e6c9c983423d9a692e44e7c76fdb290ce1a3b00819ee1f7df918

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50d0f5703ad5b20964b0273a14667a7a
SHA1 0979e3c7ab429303a2d3ec776d0f3cc765170a34
SHA256 fd94c0b40bf2fc0155453238266e542332264c5b8391743ec0d96002563e6f3c
SHA512 0c3eb72b89d23c3524e91c2ec4c58fbc987362fbb98426affad4039dc4cd2cc5736092c0c347fc8dc022e8a226c2a1ff97235470ee63e9b1750fc971198e7921

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 258e844bb6f7a54e0be781d9202ce842
SHA1 59e8af133770811ec401d428f6780f0922a01cc4
SHA256 5ecf919819abe5b948f27a2df6cc20b8e9bdebd38bb3f92701c77778c8c14d8f
SHA512 b2bd5852409c5c6dcf239cdb48507ca9fc9b9f8b2e412d1c865495e01b6dc174ed6cb7ae96b12377adbe8052172b6875b29646f48a44823818894a1226c63b65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed85ed03cceaacb9e0b61974696c4d33
SHA1 19cae7c5fc5f36a9e4f243e0435c4cf60e98c5b9
SHA256 9639458d876b68307f3298732f96de5e78c07b3bfb454a82169dbf9a708067f5
SHA512 04b3e1139fa6064c38f557df4420aaa47ecbc7769200721f322984be5ca280878fe3db4a1de2a8cdf8c4231c5f1574f52c3d13bf0f153cc4f63c76b7b22336d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e76f8fd47159f90962f1bb286b90fafa
SHA1 bf4b4684d4ebddc1bcb012a7c04bd54420a5a4ff
SHA256 8bf71f756d6987900c29e84e9e35cb0f5ea7ef8d421ed67218b261321fc4429c
SHA512 2e08864603e08edd5179990b012f28d2d5567b1caf7503f353cdaffffdb1368dfc5d0d9c7023a9ff0007ff6b2e3f6e6ddf45ea8bec3a1cf5b205a1255bf67cc2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1fbeab8cc73c08d314e562ae6cdd8ccf
SHA1 0e1cc30f3541eb5b8991cfd5e1c19935e4e7698b
SHA256 3b34fe00840e19c62fb492c2b1237e8c5133a1c9176a234cea6d581dbeb12676
SHA512 49cdc60b4a0aa827b4af5d3c7e17560df9126015539357310b6b4009f266c4b354919992438cc27ccf1cd7a2b154a1c372c26bdb7c1c627a79d1849a109cf084

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efe2aa3710b0e0d2bd61e68ab5235e0a
SHA1 43745b5e01b31b03b041f009493f85caea08f61e
SHA256 63630cacf99cb6331490228f51b4c52ef9dd45e2d13adae07c18cf6114b1b827
SHA512 a5ecd72abac5e2a0e3aa4c3257a39a9f52b88a71e2adf5ed1d6a70a47ef3aa0a47b6014e06e2f179dfadd0091fc8fb4ce1bc592afa3cb16fd33db6a2aa71791b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 bb370fe147dc46c1be43098dc4cbb5b1
SHA1 c4035637e412a4709507ef02768fdb537ec05548
SHA256 caa780a9aecf00b2def1e456d919eea51f06d4da83d435aa96e6113538406d9e
SHA512 0713f9d7817d68d64db9c3cd70124015f2518a8edc6682467b9ba6713b54875cdec2ec394e01918ed1700beb85f90b6b92aa13820251ca0bd0c4d4b3b26c5be8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ede10794f4c601081772dee7cd30e33f
SHA1 7df7545b9be43acace07949e2002eeb40be0248b
SHA256 0259b7b81521f22ed1af97964ab8845e505b1257efc8f6c36083cb82ce36548f
SHA512 6aa83900059c5dbc525cae2190871d24c76ef130f72c916045c5bc16a827500291037bf845bb3bffae16d0d1c02c3888d1b45ecb92d45d24df73843201b8ab10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5583bb76d57f2fae625439b5d26fd7ff
SHA1 b619cd1682b9f1fd48d8431b9077a9fb1a445a41
SHA256 b7835bbb42a46948e99fe375ed321032427632e9eb5c793435e36ceba9880a45
SHA512 4ff0b95a7f692eadf31a6cf93fb1ad10aa6239372f2fcd150971a168bfd002689b891e9a197e6c3ae0363ae093f61c2eb0db1dc769af79ede91b4414e7790bc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a47a62470ea51ebf179a0b887078a3e
SHA1 8d9fa56e4754bca87506f7f38996a841556ec0a9
SHA256 8d7d6603172deca21a1ab4782650364d26fcf6e6c066a753205ed275c026ea08
SHA512 30d80f04e143ddf49f008b642ebde3405670b4a8f003aa3882fe0bb6ecb681a5f295f1cf2f9e1a249426b6a9e2c079f47460f9b7a573691dee97f59c648797f1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\caf[1].js

MD5 7b5b5acb8585466efe4ee1675d46dcb5
SHA1 84bff504a1b14404ef4b288465c95d454b9f6b4d
SHA256 a4307735856c3205a21f0f6d40dda07e57a2d21d495c1d1a386581f7b9f1289b
SHA512 db996d431955302468ebf45fa08be60aadb0934507d5b91743ee2ec9fe40d8b8f3722ba03b233fa6c0738bab3fada3526c980033d704a5926637a039da0ec9dc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

MD5 fdae27b090d9a0741aed17ab388b0a70
SHA1 7e56c01e24ef2d2fa8e18ca33c848aeb058a435f
SHA256 01ce9959d361a7ea575c73024e7f49de548feeb488273b0645596f9178d1962f
SHA512 8a90b5acb08a04fd9304e3f0fdbb614767ab4552e3d89ec53ea1c9c5ec14a2f11bb549eec0d2340a9fa6461aea42c43e6883699043bb63f3a8cd9a8802bdae01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a1d8d59912b59ead02de9c6f160f0cb
SHA1 28205d57b3760831603020e7f963842f2b4480fd
SHA256 aeac6ddc73e5babeabbd81cbf7e13e61d2dc6507ed8278dc8a9abd2a164918b5
SHA512 a50bfb9d13e8c42fce38f11486406f25cc836b9b29441aa9d4851a2c0d9d13d319bfd81c0df722648271aad948c21c3f1494ee2072be13f9254d36055dff7316

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\caf[1].js

MD5 0f190477fe91af746163dd0b1acb0592
SHA1 5d4e1021bf48afa7ad5b62670bb3a50a0ac7566c
SHA256 f83c8303e4124769ff07b4340f4e6f9bcdbef4a3d508208a96755ddc5d6f9a90
SHA512 4430a19bfc3d2262de0b1c1de6751e51d37d0f861c1a2d045c0320f909fcd6ca240f4ff8642b6efc52ad27e1598e61bd433bda08da46f3a8268c81a7706c5eac

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\caf[1].js

MD5 e69ac32ab1e181b296b5d71cfa1ef63a
SHA1 ad1d570d7a5fb3ffc42ecefe1cea13a9fac205c4
SHA256 8d0dd55974c027b602fa403e5372a69dfc99c122fe9e1983f3bb1bb3dc28dac7
SHA512 70a990c4f0e5af5074304b2f625130e2741d8c532a05c603adc853d184da203eb51859e66e998539e57f3cfb4e6fad6ba8196c81ceba03b6c1ae7e85afa1b243

memory/2904-1349-0x0000000004AB0000-0x0000000005B12000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 02:12

Reported

2024-10-31 02:56

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\E696D64614\winlogon.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Users\Admin\E696D64614\winlogon.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" C:\Users\Admin\E696D64614\winlogon.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\E696D64614\winlogon.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmntsrv.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc32.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alerter.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navsched.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccpfw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\callmsi.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwntdwmo.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scrscan.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nd98spst.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95_0.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nui.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscanpdsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostproinstall.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamauto.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenericRenosFix.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npssvc.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostinstall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecls.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-agnt95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" C:\Users\Admin\E696D64614\winlogon.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe C:\Users\Admin\E696D64614\winlogon.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" C:\Users\Admin\E696D64614\winlogon.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTDIALOG.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRINTISOLATIONHOST.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCEL.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IE4UINIT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOHTMED.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ORGCHART.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\PRESENTATIONHOST.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRCEF.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SYSTEMSETTINGS.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WORDCONV.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSYNC.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTEM.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETLANG.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GRAPH.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOADFSB.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSCORSVW.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOASB.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ONENOTE.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\ACRORD32INFO.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXCELCNV.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTEXPORT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GOOGLEUPDATE.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGENTASK.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\POWERPNT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEINSTAL.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MRT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SDXHELPER.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SELFCERT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RUNTIMEBROKER.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IELOWUTIL.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEUNATT.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MICROSOFTEDGEUPDATE.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSFEEDSSYNC.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSHTA.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\IEXPLORE.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOXMLED.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPLWOW64.EXE C:\Users\Admin\E696D64614\winlogon.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\E696D64614\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\E696D64614\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\E696D64614\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\ielowutil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Sound C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Sound\Beep = "no" C:\Users\Admin\E696D64614\winlogon.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1070936923" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140672" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000006d569d97abca0f803d47b7ad8396921473e855d8ff80fc5be1ab138e6eb7c77d000000000e80000000020000200000009634e6338f029b32a9e3cf8ef4cd0fa20ae5752e98b1aaecb728de397e240b2920000000b57b30cb10909c71256ad5590cc76dc4866098c54a418577640e03ca7fafe07a40000000eeb6357a1d3d44f7776209d8a3a34f622f60a327bb32524968feca495a04120ee69d77615ca77f5e703520d49ed956f84ca8a3c0061170493a76fb5b2b85f8d1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437108232" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000b58b885e8a7002b6e625080f2308f4df18aa61dc3f17cf94fc1a08039129c23d000000000e8000000002000020000000dff2cc63c473bcc589b6c05c0f93d925f791618c581e852439740b11c666062a20000000729aaa83c132faa0b7705ab2d98ab52ff9b66d4ff31eaf1014471d897d1b622b40000000b39fd3e7b4b7a9c25437470b0c22bdfe2178c21cd8e41def669ba766a51a46be064987113d1168da86dc48565db6485bfe2bc2955f440a1bbaf846fc354952d9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000ee1a1f2dc0d094d70ca6ed933b19e6cdf4a49cf15cf0d72622fec202382e7012000000000e8000000002000020000000cfed2eb336e3f2fd0f5152629eb7c38232a633f6ad32cf72710d3c08a8512bea2000000061df3e71d3f5011b2690b2422250e2bbfba77baad8a7897dab4624c058210679400000002087ab9a51f6853c95c3bd6a13960dc879a5785835a9dddd0d7a608f3904e500ba20825f83550f6cbcc2edf3ad75b6540287cfe56f63b453f3efedf6d8021b33 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000065a950fe7baa3f1dbfebd61e21d6ef170575f5c265fb701fcb54debabe12ffce000000000e80000000020000200000007ea859582887b03f47fddafece88cff2dfd7f957adce04df064c5388b7ff28622000000027c624b79ddd37451a05096a21608791cc6983ead3f6b254dc126fe203866d9c40000000a7d4b6ec81e8b34c7ad1bbd6e0cd126df631c978eb63fdb534a3790d3a79528053adcca9fa3acfa9a9e4f6dbc38da25cf3ab972afc3c8d41cc96e5e8e1bf4d11 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102cb46c402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://7802os2tclomc07.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000eb613c3ae7e8e8da6bc38d1e3e787974736077152305a10e7ebeaae8e5a04a55000000000e80000000020000200000006c2090d22a034a2e05d65fdde6ee7e7e574ab430ee33d652505e235c408d02ee2000000054b072b7382c5b03bde5a1481bfc3926dfcec2069802339bc8ebd1c7f43222264000000091f6f9073bf87f91c0002d03fe8a47d3d2665f8da2570f521606b463865bc17991eeadf2e38e64046f3786dc5905610a4e8f719b2b1e07cf5161c1adb70709a6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0145257402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70765350402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000a5dd159e6de570b898b60bc797ecb83285c43b6eaef733e05c0de8769cfc627e000000000e800000000200002000000052c8662ad571843fe8f0f528546cdb7ddc8a88bfc1bafe474a09655f5f2b0d3d200000003af0d826efc6efd50f1d29cf93c71b5e453b7b827cefcfe37a3c28c729aa27bf400000002ad5e4c096aa4494c83fadd8224ec439546e798381dbe1316081227e9b672c64e42c66ff5ddc73a85b090b5d7286159a86422a03a584b9b10512271f67c21e6b C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000042c417198a6734efd6bd244401b86aa33822dad359ab1247f0f81dab99122f1a000000000e800000000200002000000011f6de9939e2ac224b87f097fefa93a0c3bc3981599dacc3c1c0f0e8e3476804200000003d690a8effa8b6db841e05f6ae89dfadc317965ac069544b1ff2e5fb24c6697340000000d5a7d3f6e5eb0fca9547d8e94c48e8342737d0d0191c12cf84f439f9ffd859fe477d54b3f3a2b285862b810b3bfc8af11c057c69df570480b4c2e7191ab4a387 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000c6c7f522df86b8efce5bd2bb825b0b5f7e778cff67fbd1f7f27c1262c8b69ce7000000000e80000000020000200000009cf4f21d283151e84b12d7485491320ea5b4a5c16cca01f6dc2bede6962f69cd20000000d4c3a9e31d681aadf548a06c25a41193c61efa5f3655ae7c5db3a7648e4bced340000000d53df888c19276f34b9dc69bf00ef137865039f8b0df2994a8560c175c5d8b1af5099f5e04f459e76a6bc6fc848a8e161f4a0a0c64ebe5545f51e91407cef642 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7014592f402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140672" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://z548qjnsyy80x2w.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a048013c402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1072187176" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70dfd442402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f74948402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000db0a782b812c10bba7d8e7ef57c96433586152e91fea49cc0a23c820469fe2cb000000000e800000000200002000000063ef3ee11854f0b8d56401c55363cb0b16d2b187375e75b657554d0c41dd991b20000000b1ac671f665e13f273550ec0274a1a60afd3ff4412a8b9d6915d44ffe09c6cfd40000000837299aed2fd7737252dce63c24d2ec213e6962588e757f7279799f3c84af38fdf17129a6f27ed6e52a06bbb8a4ca68ee15df4ca6102833105cb5224d9bd0dba C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000007e7070226fc0804c1675de4c08e570226a386de0a35d9ff6530e1df406d82d68000000000e80000000020000200000000e88a9719e2ef12f73de2953276b399b1e8772fd39351af55482a356dc824a5520000000d358dcdc1399a97471e5e879452027dc680a89637340ed9df68f1d31a17e850f40000000ad74a954b32ab03e9374d27955ec4d8455d1e942ef70a05783b205ad23b4bb27e8ff73ad4d4530c37cfa195d45f9e7205460f93f7766a4bb4347a9ddf9fba8c8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000f24800e02bf3f4274a215ed2c583542bdef509dbe12c85f1727d3c128d20ae11000000000e80000000020000200000005697cc6ff0bc6bd49a4fb716f2612c490f6a8cfb6927f4b4448a9d9c40ce786a20000000ba0bf7113c9870a044dddb4c688d28fedc08e62f1c7221220566a75521f7c84240000000fbf8d3e39ea18bcff901bbdcdbe4bd424a67e21e72667e72f64e6cb462159ccb932459808033a7394ccc280988ee335d9408f4aa8734f1f18204bdc6b5178a5d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://px3pj6420c4m1t9.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1072187176" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0697649402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000d1e66fc4038e215f446afe02f1430b887e91085213d81eafecc9e8abaac17cf1000000000e8000000002000020000000ce2f95f1629ce73e4ba08fbf537ac7d20b8da92fac90f840a88bb4780cd09e4020000000225a5b724210fa426eaf56e895f37f294d2c9474372715874e39abf90b205be440000000b7f6d8db9d9a0384de84f0064fb1a5c77968654a5f04a0144fb03566d6a9eaca84c73c9edc97fcc2a02326971885ebeb6a702db22b0251ce3d15d06e48baa15f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000c047b0cd0fe18cc51034eb777aa2e56f11eecb1bdfddd587d1babb3409d452d4000000000e8000000002000020000000a05463b846e1aa1b6aaa3d90a9b6b5778525be25f7c4d3e037b654ec7c96c6022000000097af54c676c876e7afe696760d6ac7ff5e8e678d5e93ce0c834c6e7f10f6796840000000d5e5ab8af75aaa11aada6093872bf8c431fe7bacd62aad7a317f9fc3f7d3464162fdfe32a2896ba265064964a094817008449de646df46864c4dba8ecdd6b9bc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e390000000002000000000010660000000100002000000049068dd8204426a30cbd3d9f007ec2f5f4a0cb8112562231feede379a66edf2d000000000e8000000002000020000000f2476e8dcdfd246faa903413ea35a12a49fb4e24476e6df682cd4f9e699ba046200000009e5ded80099cf695c266784ab51384c3d135c81d39a594abe3a3991c3f23803540000000b165d4d6bf55f0fd55788e82fa0d9f68493d4e268c950e9a9450bd38f2521f29a278c8df09008c627a9146f048f09fe7293db4817ff0691d311ebd84dd319da7 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 705d1d72402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://8q69g5bk2j47vt6.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{6B6E0B13-9733-11EF-ADF2-D6A59BC41F9D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a06eab6b402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000008e93a80b4a3b9d69277f777e53e50374c5b4c0626359958d18f37b749f9f16ef000000000e80000000020000200000004ec5c1121d231eb7a22447076db0fa0a07542791a1cecb1e31a7dea214473d9d200000008ced556bfe19fb5c03d2b7f057325c3526a4726081d09dd12a8483bf6500473c4000000010ac13f971d7237c284a3a284d976202a128e068c7b418300ae87bb47ff45fc117950aa6205f6d6c3a426726c0e300805bcec32e7d66a2765b3ef4e7149f8359 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b94c65402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0235148402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000eed5ebc81741a8c7383c3a4bb0fabd0df883eefbf3d3eefef63270cc68d66ab7000000000e800000000200002000000087bccc64319a3eea56d297f3f195374280e5772c2523be0894a852fe192c059220000000303cbdb2987f940d69a133386ac419159ef0856dccf67f2cfee6c80e10ec0edb4000000093756c9052f3ff33bcf56ef1a5c428417cd235781ee537d51e87f0592a54f83aa38d4da2e671be0c2b4cbba8ec31fe01d6cfbb7d1912efc606201b950c76359f C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e3900000000020000000000106600000001000020000000ac2ee100f758f189638aedb6f73e4240fcc99016009ce1f37893114c655b1acd000000000e8000000002000020000000357ccfad998a48cd9c121014b9e59f1e1fe049069c6dd83b9839de10f0340e8d200000008435d583902ec24a37c9a6a3ebd35c40cf0d146ddb5df9a692d945d111e614ab40000000a8bb0e816498987b326d3dee262f4b53b1e588edee4cfe3a7379e8d7fec47ffcd4d96063ac4f0977f699439ed6737120bf83163598b6f636007e499342ffd2ff C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://qd8ge4z1t2o3d08.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://fctsigx8jbazi8b.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1070936923" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3047555e402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a061935e402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 908d6c3c402bdb01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://71r6716le07z4zq.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://711h081oz8s12r6.directorio-w.com" C:\Users\Admin\E696D64614\winlogon.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open C:\Users\Admin\E696D64614\winlogon.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell C:\Users\Admin\E696D64614\winlogon.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\E696D64614\winlogon.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A
N/A N/A C:\Users\Admin\E696D64614\winlogon.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 512 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 512 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 512 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Windows\SysWOW64\svchost.exe
PID 512 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 512 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 512 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 512 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 512 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 512 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 512 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 512 wrote to memory of 3716 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe
PID 3716 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 3716 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 3716 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1664 wrote to memory of 3428 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Windows\SysWOW64\svchost.exe
PID 1664 wrote to memory of 3428 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Windows\SysWOW64\svchost.exe
PID 1664 wrote to memory of 3428 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Windows\SysWOW64\svchost.exe
PID 1664 wrote to memory of 3532 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1664 wrote to memory of 3532 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1664 wrote to memory of 3532 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1664 wrote to memory of 376 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1664 wrote to memory of 376 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1664 wrote to memory of 376 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1664 wrote to memory of 376 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1664 wrote to memory of 376 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1664 wrote to memory of 376 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1664 wrote to memory of 376 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 1664 wrote to memory of 376 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 376 wrote to memory of 4008 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 376 wrote to memory of 4008 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 376 wrote to memory of 4008 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 376 wrote to memory of 4008 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 376 wrote to memory of 4008 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 376 wrote to memory of 4008 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 376 wrote to memory of 4008 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 376 wrote to memory of 4008 N/A C:\Users\Admin\E696D64614\winlogon.exe C:\Users\Admin\E696D64614\winlogon.exe
PID 3936 wrote to memory of 1764 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 1764 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 1764 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 860 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 860 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 860 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 3628 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 3628 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 3628 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 4976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 4976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 4976 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 2864 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 2864 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 2864 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 4380 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 4380 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 4380 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 3068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 3068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3936 wrote to memory of 3068 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" C:\Users\Admin\E696D64614\winlogon.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\AppData\Local\Temp\8126840a68ac0b59131895236692c577_JaffaCakes118.exe

C:\Users\Admin\E696D64614\winlogon.exe

"C:\Users\Admin\E696D64614\winlogon.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe

C:\Users\Admin\E696D64614\winlogon.exe

C:\Users\Admin\E696D64614\winlogon.exe

C:\Users\Admin\E696D64614\winlogon.exe

"C:\Users\Admin\E696D64614\winlogon.exe"

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17418 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17428 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17436 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17450 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17464 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3936 CREDAT:17478 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 6y2p57146tg986q83t33ukl626on3m.ipcheker.com udp
US 8.8.8.8:53 whos.amung.us udp
US 172.67.8.141:80 whos.amung.us tcp
US 8.8.8.8:53 80q14wg613i0dvyp84735236ql14nj.ipgreat.com udp
US 8.8.8.8:53 widgets.amung.us udp
US 104.22.75.171:80 widgets.amung.us tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 141.8.67.172.in-addr.arpa udp
US 8.8.8.8:53 171.75.22.104.in-addr.arpa udp
US 8.8.8.8:53 711h081oz8s12r6.directorio-w.com udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.buscaid.com udp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 8.8.8.8:53 www6.buscaid.com udp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 23.79.56.45.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 img1.wsimg.com udp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 172.67.41.60:443 btloader.com tcp
US 172.67.41.60:443 btloader.com tcp
US 95.100.195.46:443 img1.wsimg.com tcp
US 95.100.195.46:443 img1.wsimg.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 ocsp.starfieldtech.com udp
GB 142.250.180.3:80 c.pki.goog tcp
GB 142.250.180.3:80 c.pki.goog tcp
US 192.124.249.23:80 ocsp.starfieldtech.com tcp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 56.204.197.15.in-addr.arpa udp
US 8.8.8.8:53 36.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 60.41.67.172.in-addr.arpa udp
US 8.8.8.8:53 46.195.100.95.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
GB 142.250.180.3:80 o.pki.goog tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 172.67.41.60:443 btloader.com tcp
US 172.67.41.60:443 btloader.com tcp
US 8.8.8.8:53 img1.wsimg.com udp
US 95.100.195.46:443 img1.wsimg.com tcp
US 95.100.195.46:443 img1.wsimg.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 6k3da4664217k53052jd32q536041d.ipcheker.com udp
US 8.8.8.8:53 31fs20ah9142yhwv0v74x70dj9j752.ipgreat.com udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 172.67.41.60:443 btloader.com tcp
US 172.67.41.60:443 btloader.com tcp
US 95.100.195.46:443 img1.wsimg.com tcp
US 95.100.195.46:443 img1.wsimg.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 8.8.8.8:53 img1.wsimg.com udp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 172.67.41.60:443 btloader.com tcp
US 172.67.41.60:443 btloader.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 8.8.8.8:53 52.195.100.95.in-addr.arpa udp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 8.8.8.8:53 q142n1ztju02e7vnpv7nbap4p1878q.ipcheker.com udp
US 8.8.8.8:53 454as5gm5k13q2232724s6w59q9t78.ipgreat.com udp
GB 172.217.169.36:443 www.google.com tcp
GB 172.217.169.36:443 www.google.com tcp
US 172.67.41.60:443 btloader.com tcp
US 172.67.41.60:443 btloader.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 95.100.195.52:443 img1.wsimg.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 8.8.8.8:53 www6.buscaid.com udp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 172.67.41.60:443 btloader.com tcp
US 8.8.8.8:53 img1.wsimg.com udp
GB 172.217.169.36:443 www.google.com tcp
US 95.100.195.46:443 img1.wsimg.com tcp
US 95.100.195.46:443 img1.wsimg.com tcp
US 8.8.8.8:53 p6623509va9fpzn154mqjvj593ltj2.ipcheker.com udp
US 8.8.8.8:53 kh0vv0mmrxo9de59cvd6779e4nnl81.ipgreat.com udp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 15.197.204.56:80 www6.buscaid.com tcp
US 8.8.8.8:53 img1.wsimg.com udp
GB 172.217.169.36:443 www.google.com tcp
US 172.67.41.60:443 btloader.com tcp
US 95.100.195.46:443 img1.wsimg.com tcp
US 95.100.195.46:443 img1.wsimg.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 8.8.8.8:53 g0l3c0drf5i2enc93548qb7is3gei2.ipcheker.com udp
US 8.8.8.8:53 t43j87f3b30222r51u2dwz6uapgg98.ipgreat.com udp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp
US 45.56.79.23:80 www.buscaid.com tcp

Files

memory/512-0-0x0000000000E50000-0x0000000000E8C000-memory.dmp

memory/3716-1-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3716-5-0x0000000000400000-0x000000000041C000-memory.dmp

memory/512-4-0x0000000000E50000-0x0000000000E8C000-memory.dmp

memory/3716-7-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Users\Admin\E696D64614\winlogon.exe

MD5 8126840a68ac0b59131895236692c577
SHA1 9a610c195b9b153d8f31a0cc786f709372bc81d7
SHA256 d38e4a084a04993bf205a802fb04c83ab1436319c95605595bb274231b19c435
SHA512 74cacd4ddd9253f960fac294c36c13e9d7d94f10808622db2acb8cdefd5fe65ef6e603313a8996322f11c935bbebb3c5a58253e5dcb879f95a0c674845a2e4c8

memory/1664-17-0x00000000008E0000-0x000000000091C000-memory.dmp

memory/3716-18-0x0000000000400000-0x000000000041C000-memory.dmp

memory/1664-25-0x00000000008E0000-0x000000000091C000-memory.dmp

memory/4008-30-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4008-33-0x0000000000400000-0x0000000000443000-memory.dmp

memory/4008-35-0x0000000000400000-0x0000000000443000-memory.dmp

memory/376-82-0x0000000000400000-0x000000000041C000-memory.dmp

memory/4008-83-0x0000000000400000-0x0000000000443000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\RE6ES7L6.htm

MD5 5883f46c1ef7b7c85314ba911869fab4
SHA1 252daf738d9888825742e25ac42ffd69538aa3b3
SHA256 2b0b93c69d5d649272ab2f0b3538cc7e2e8a4b784c2c32464d074df2231ea532
SHA512 b0b628501438534071872d80aed28ef161dd6b6db549fc1497bea1bef668a0375995a6d96ab5e3dc8d3b4e9924ef70fa6f374dbfefd62608f76baf768439c4e5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\FV3ZVD6I.htm

MD5 dfeb07871e58cd3537f30da5fad9ca14
SHA1 fc52042fa6ee618f89631335f61c067893d024aa
SHA256 8d9ac95b12968978fb7ae85bb9a6d968cdd3f6a22c5cc772fe7fe129fc31f66a
SHA512 6e006480d85d3358a6f7583310b0de2311b174956ae3c8ab3f3af24095b984418b6b9277e746c5c55a14bc9cf7d41f9822d03767d974301a60029f8e6398faf3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\3O1SU0E7.htm

MD5 ad4b8b78660237e90d67998fd3cad18f
SHA1 faae5b2c8b720bd753aac996bba439c1a1f5635d
SHA256 b6303035a2bb5c474b0144297c656c0ae94a124cde3e2e609eb6921747f2ea1e
SHA512 f4ecdccd6b3962c2bed6ca636d1041880f96c9b4f0edf103d737be8e9ce925078715f56687c29110e6f49cc1ff2400248819528f87d2f356ba75e937b1ca9a9c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X3JA8BBM\lander[1].htm

MD5 e15c460ec7ba9ac34c90a95a4d8cf472
SHA1 7f87fb6d10fa8b1d88972826b2fca27278fbcfa6
SHA256 e3645f226c6d2b938c261bdd3682a245e248f56e8cf7ef6d8ac30011d7ede8a7
SHA512 5b69a590abe2c9289db9d09886fc74478dab94d029438a1e2bbc2019a27e008f776c838fbdc3a9c40b4dff322c8510cb6d4f34ab51cf76a40cedfac14e97f070

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

MD5 e935bc5762068caf3e24a2683b1b8a88
SHA1 82b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256 a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512 bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

MD5 62b5967776594d040fd16952f1615430
SHA1 5846eb7c1e1b493b67e10d2615c9a6ae77332b2d
SHA256 9aaa7e16d985fd7257a03bc3ea3e8ef9c28dad21300ab27bcce323e72f82b19f
SHA512 3142cd9b32c1d16723ed1937aa79fed61d47357cbc1f47b994761759a021ecde610caf6061c5e0931f1fee7ade6015fac6adca757b7dc4f367851203351e16c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9

MD5 e9855b3c6f08d1f2c13a88b4dc7cb955
SHA1 cc43861c842b195cc022d8ccf9f6984ddd88d4bd
SHA256 7d8dd79e5630070e5ef07b78bd2e586528b9c2807cbd88471088b35e31f37828
SHA512 3a04b7125a7d2a1403677b2c5a3a91cf81101093a004255034637aeb4dac0b96687b454e8ab9dae0e6cf6c0bfea917f3caf6237d84b7f52f8246ac0c290952a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_6C4EDE6B4E04AD6FDB8E61232C576EF9

MD5 4cd5a4f2ce6b03f42d3a4f4a72c7921e
SHA1 e4146bcc0fb0e38c35d967ac7689689a4cb88437
SHA256 e6e2ab5e3b577b9cb943a39ce3f38326b5d1856e796566876f90e21d0402082c
SHA512 a8948d3dc2c394d87545d77d33d25579bec4a90730c1e23ba438189eb1af458717df2329caad2c00d82b9e00492ead5220bdbbebcb40f8473f4b72018c58c0fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3755dc974dc983c89c3eeb17650ddf77
SHA1 54142c635c10f3babb9d8b1664be790718e96d0b
SHA256 592115ed4f1407febb0ced51e613ce66ad32d84143bfaed2c5990ad439a3cc71
SHA512 6c2d76c24a005cf92121e2ec96ea1e6cbe93d6c2c48c910cbbea411841433148bfadf47c6ef85d5e7ce8b33f97ccc9131b314c8f9457b7f149ddb9451d02d95c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 9fad70be50a77fadec9765c29e6953d0
SHA1 01a3617ba1a54350f0c221c6e44f2b656e07824b
SHA256 877585c2a2f83c9ad2efdc0807592deace6de7f5d09457a949dbde9fb0510c81
SHA512 ba87a6bf195840a223b012133eb55c1ce20df75a43bdef8cd475c49def5405b4a9a8d591e7979e8d68c3820aab6886639f2da8ef373f704098f21f5c5d5e62da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 b36d1273d2c3454777c9e09b1cc86da2
SHA1 8734de9278276b494c0616797fd609fb8ab2a71b
SHA256 80d4abfa28f1f4b07e861d1f7c649531027dbb0b4f4a9e4e0010b6de649491d1
SHA512 49118f960ff716a78175f06dc38a15f0531ab217ca5271a54212be990e74a46d2f30f47ce04435eb57d01a0d540fa081bacc834b761cbd4e16f8bdf9f2b518e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 c58fdf8462cbb57281609e2769df3702
SHA1 329b28709369f68c63561584ac51e72d6d0d9a7c
SHA256 59c8ebd7a1277b2bd20db43fc61fe42ca0f7822c2c7d7ad90fa1023ea4ac6bc1
SHA512 4761447858df034e94ea22fcfb5f5ef2b756bfe554a6e93c6c2e055a0e948c13597a3717dcf5eb44a7c761015289787f722f8929af916b5abbf0b325b51428c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

MD5 b44b786694bfd96d3c090058dff2efd9
SHA1 d1d8701831fd00e083b82703c42e7f3d5c9b53a9
SHA256 677c2e00b2bd2a8bbc4721cc7ca4ff0d5ce334fb3f8757396c7df51bd61ba989
SHA512 ad9a05daa2d007c42206ba13277e85f275f151ae9f7f1e4b1844e743a157c91cfc66bf2dc2068cb8279c5c29604a6cab7e961de7e45cf273f9211cf5d0ac171b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

MD5 0f208b16d7ca50ce483b6f6b171d9e0d
SHA1 661600699281220ac0f97f34ccb0a6063403355e
SHA256 dfb05b61cc83ca973e8321744dc4084a64387894b49483807e31343daa881465
SHA512 72d549083e9e4520b39e23364bdf21f074bace802fea3267f98f6537454a7c41925710b789dc4d2b9b82028c64dc7e82f4e2ead7805733bd28e0d740a38cd690

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

MD5 80268f845552c33d0181594b4e3d54fe
SHA1 3e9d423c97885b47b4df7acb05caa1e00ba6b500
SHA256 9267cdfc6231c41c89ce2a35db2379fa23571513736da393b33ca8a0b45e147f
SHA512 af0e9e4bfc842f590cf85d691134d7f33b74c2c96896784e452929e5ec60d5e556b1324890b4fcc7702fb27dcd1537414962491bb48b94d4856018155d26343a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

MD5 ec48c020024ca393990eaad1c4166bd2
SHA1 5645e6a65c6ee1cd0491f7bc417d22d30af7ff4c
SHA256 36c5f4a91e0125bd55d53e618441b88118d2b043ed2c162e0406b2b257e829fe
SHA512 6102a4c3a19bf097e918925c09088734aa1cce998803d7063f6900b94ecc161560d3d5bb3201a28cab8a944040d59f18df4bd4704e148bc98fcd2c7b73a4d9c6

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\main.ef90a627[1].css

MD5 3f821ada778691e677aef2cea8c4b4f6
SHA1 643e7b729b25c2f800469623191dc837798e9d50
SHA256 7510035d553a99fbf93eb67737b2df057ce096fa1ed7aad83cfd559e11f2320d
SHA512 8993a8ad28ed4035a022d1b7274c77a97b8235b2ddcd5e6d29f7230d375851539900d4ace652c94c4be8a8284ffd86501df420385a6e680df4222c162deff4d5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X3JA8BBM\tag[1].js

MD5 78cb756aa06b07c207880f7b4fbb721a
SHA1 6f96c8d80d2281afe016f345bdc448255740622e
SHA256 cb666c470a82988da4f29bef5b1f8f3e1d4119fafc9e78538cc0e74f17c8c338
SHA512 a3fa57a8bc184f2561164395b9015305bfc6b4c1eeffae5a630395a21f730bf8a0640b4bc5d948d6f0bc78e3f6c829517ef011f1f78db0578272d8a1bb1aaa21

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\main.a345b721[1].js

MD5 a45598e4c3ad88168b72ba9e56f9db3e
SHA1 23ca76f52fafd8bbfee3426cc2202975a43d7450
SHA256 9cde14ce75189208d1475f90c0cd75c31413d95f1c521ed0be883d3a5979647d
SHA512 b719742992b9e1bd9a0f6a7b98eebe32718bdf1d4fc47ba3e1c0d5c2991d0019013cc5a6c1ade7416077e8136b6c24869cca87067b67e9bda6610743f6790241

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFB9F.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\VJ5CI4XT.htm

MD5 167367582e5b71bc9838ec147ee53afd
SHA1 b3a2c653bf961f4ef6f2801d746e18868e3e32d9
SHA256 b4faf4ce8d8df166748e9a1502ba5ecfa278b5c33643df4ad80bee0a86537b44
SHA512 233b9558c352199c3a11cf0db4516433f208d6e5f9735fc72dde3d86c07f89becee5fb6642d575da1127ccca3b2a50db94d272453f7e5cb0a84c0181dabcb0d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\caf[1].js

MD5 e69ac32ab1e181b296b5d71cfa1ef63a
SHA1 ad1d570d7a5fb3ffc42ecefe1cea13a9fac205c4
SHA256 8d0dd55974c027b602fa403e5372a69dfc99c122fe9e1983f3bb1bb3dc28dac7
SHA512 70a990c4f0e5af5074304b2f625130e2741d8c532a05c603adc853d184da203eb51859e66e998539e57f3cfb4e6fad6ba8196c81ceba03b6c1ae7e85afa1b243

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\LO9XKXWP.htm

MD5 dac5e4781d66af73cf333643010fdbbd
SHA1 51326f40da0b960418a4c5a60b7f99e000456501
SHA256 5b5a2a9a061243480e44a57bee3cf76424c44164be9cec85a5acc95d0617a918
SHA512 aab7e20160356d44773a2a3ae8e38225673644e15d88298e646e513c59d6ef6bc3cc9c31b75081fa31fe22ad06c0fd087bd360ba4a77c51ce916ae6108c7210d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X3JA8BBM\IXXG0Y4G.htm

MD5 0ac17d2e3df26372118deffb67060b69
SHA1 78e5ac5568354defca592b0b1595dd7307c2c09e
SHA256 b7c9b65a8ed945d6f5e53950cd8533e8cbaf2b9c7f7cfdda75e81d4be1a5d7db
SHA512 c0a71e6d3fab1e6699f4f4ad3115377ae1270509edb6e224a816391543fa0abc2d4c5d41271ec3d65e602c5b2092c9cb9b7db230d9c9748ceebdab11504e32c2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\BWHVJW8U.htm

MD5 27e22f75474988f9030be7ea53980ae2
SHA1 a7268304ab1085069064f171fb8911e3a47fc639
SHA256 6fcaf9f36decca166c5ae5550c345c3fb03de49271d692eb18e324261fd7bcb0
SHA512 041cf79a5d682e6aa3e2922f161b6ae9902e0fb0f74fa0cf109ee18f6c22e2f0799383210de16d31e5d67ca9c10d4ca445306a2c7a3dde35e579e4fd4ea29d50

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\caf[1].js

MD5 3ead10870e1afbc3f82ce87dc30e59de
SHA1 054444246b731a9b64c730871407d7302bf5ac2b
SHA256 b5e45b2484a4791b1829946da8a71a8429cf12ac14cfb1eb9ca011a201f4ca7f
SHA512 9fa45c0ecc3683c97a394e2636ee1c687e4d1917470714aaf1381cf012109a38edf637f2da88c62da62b8f0a28df8c9d23f533f9df9bd1b8a78d895f6c7a50b5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\EU911VXT.htm

MD5 4d23344b780b1cb09c2f9c92f03d7a0b
SHA1 d63c9cb09395b7c91f1d1f4fb3595733eda5f865
SHA256 470d40498a016be7d519f396375a0c13fd507b2b179877f0e0de47f4c3933e67
SHA512 a19180ce7f03cfaedc7959233e1ebe801d245832b75e18c806b0addd16f96efdfca6e7f867ad07998aac01d5885a133db57aa53b546a474ab27f964c34bf1a41

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

MD5 9cb89abcf07bb31fb38c895f6b00741a
SHA1 b332ab7b5ffef559b3521b14f8e01a464908c78d
SHA256 116c85f8ddc3c53cc648ea219ddc20a77c1605a489636267d87316473177f707
SHA512 a658bc409d306fea713e22e2f79dc62788acb91e7e59a136b1ee6a8dd66d4c0ecb0acf392f49f1d7468f841447fe3a001d5614c418ed54a4a204e7f9f987b6d7

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

MD5 ae72ca27b9634411ebb23777cc46a472
SHA1 ea027016fd632f9b6ba1c39de3bdd15c2ef9baab
SHA256 2eac5e0ad59cb5f6fcf1d664a06496869211d95e965a6199af32fa76363a40b9
SHA512 1dbf8e1ef12ddf8e09b6d2313a8f1960cea7b637988f2e18e0d2097bff929834ee37454dc6e699023f8aa13f071fc9e5591fca9be53e4edf7973527f5636465c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\CMVH21U7.htm

MD5 c010ba06745cd1bbc23dab6ea06db16f
SHA1 af21b04cc7473de95a481fbed84a420bd6a8c264
SHA256 9e60e8576b53153dfdfdaef3063543e1c0733d51890770a2d75282688318e70a
SHA512 d73366e5e71c0755046a6d11f58798160a6ec6a9454b8db58dedfba2f28eb87a5637ea15425277a0cf9407dcc1bd07f2db1523f0ca9eeb27dffd3d1af6e3c60b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X3JA8BBM\UQX2PHWE.htm

MD5 b451b6d35d24a000dc1e3953f1249609
SHA1 1f87f2e807e23c3641c564f58f13c2b7d3159f0f
SHA256 c624cb8f6dacbf0dec360f6ac2149eba115eb5f580fdf007fb5232652e70da84
SHA512 3b4628728ba6727330cca27bea804ba4f18c20eb5078b5312b857dada8dcb039f02e6095530e7031d5698286ce1f1e51284a03e4c784c9eb4685b0c11fb47db8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\88Y5G17L.htm

MD5 5bf8a14e0828b528b942bda627ef5df4
SHA1 6109969fccf61e9a73d7ade791883a161c3ccc80
SHA256 3b3991b64114d9fa87734ee504936fef044fe274cf9fd52ae3522f6bde9e319d
SHA512 414e7f78b9ab5d9ed1fb02d049607d58fc5cf95ed3d24710817685d37a0c163f4e7ee58d29fd6e6050b1ef50e42578902e2e3b2ee7f5973fed8309c55f33d8c0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\caf[1].js

MD5 340d8a59db8189247ee271411338df7a
SHA1 9b423de05ff2d15c88107d40146d0dd1b03431c3
SHA256 25ac5bfe94dbad6a8d33bd8b3844a471bc171202fa67f6778e263a5a3bad534d
SHA512 e74586f5d07a97997cc6a053f4cd5f1608c7db31375a4116c41227fe7373df11c842fdea268ff30ced05e0e864b6080404e5c064de9a8e794c1188e0610b7e0b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\ErrorPageTemplate[1]

MD5 f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1 f4eda06901edb98633a686b11d02f4925f827bf0
SHA256 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA512 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\08ZTJJXR\errorPageStrings[1]

MD5 d65ec06f21c379c87040b83cc1abac6b
SHA1 208d0a0bb775661758394be7e4afb18357e46c8b
SHA256 a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f
SHA512 8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\http_404_webOC[1]

MD5 92ab50175c4b03970f264c637c78febe
SHA1 b00fbe1169da972ba4a4a84871af9eca7479000a
SHA256 3926c545ae82fc264c98d6c229a8a0999e2b59ed2bb736f1bda9e2f89e0eeac8
SHA512 3311f118963ad1eaf1b9c7fb10b67280aae1ab38358aed77c10f2587100427af58c7d008abb46ad0f59880ac51e50b5a53fc2c2a96d70f5ece4578ab72382b7a

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X3JA8BBM\httpErrorPagesScripts[1]

MD5 9234071287e637f85d721463c488704c
SHA1 cca09b1e0fba38ba29d3972ed8dcecefdef8c152
SHA256 65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649
SHA512 87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384