070e5be02cdece70cce53208918393baaa11b330f4a766d05eadc8b652b3c7dc

Analysis

max time kernel
142s
max time network
132s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6c2d5553cb710e97d87d10991fdfd1a_JaffaCakes118.exe
Size

278KB
MD5

a6c2d5553cb710e97d87d10991fdfd1a
SHA1

6fe3c8c36ab67eb7ddb1505d25e8741f20d6b277
SHA256

070e5be02cdece70cce53208918393baaa11b330f4a766d05eadc8b652b3c7dc
SHA512

1b715a41aa7a9863d89b27d2c7fe554e8444f8b0c4a721713db093e7eb3f4070b0866462d0b0edf0e4ff8955c4a390bb716bc197a87f40f9635a456dcccbe1d1
SSDEEP

6144:SHTrFvCVS+ks4e+4kcIlkZDwZVh16DHsn3jpCyEK6AsF2ghHPX:IF57PnsQh16DM3FCyEK7snhPX

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2184	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1656	playver.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{06E517BC-5D62-11EF-98E7-76B5B9884319}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{06E517B1-5D62-11EF-98E7-76B5B9884319}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{06E517B3-5D62-11EF-98E7-76B5B9884319}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{06E517B1-5D62-11EF-98E7-76B5B9884319}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\playver.exe	a6c2d5553cb710e97d87d10991fdfd1a_JaffaCakes118.exe
File opened for modification	C:\Windows\playver.exe	a6c2d5553cb710e97d87d10991fdfd1a_JaffaCakes118.exe
File created	C:\Windows\playserver.DLL	playver.exe
File created	C:\Windows\UNDEL.BAT	a6c2d5553cb710e97d87d10991fdfd1a_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6c2d5553cb710e97d87d10991fdfd1a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	playver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Flags = "512"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430147975"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070800000012000d0001003600eb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-10-ae-aa-a4-48\WpadDecisionReason = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070800000012000d0001003600eb01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070800000012000d0001003300e30300000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Connection Wizard\Completed = 01000000	playver.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 50eb74cc6ef1da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000b0896ac96ef1da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	playver.exe
Token: SeDebugPrivilege	2192	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
1656	playver.exe
1656	playver.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 2044	1656	playver.exe	29
PID 1656 wrote to memory of 2044	1656	playver.exe	29
PID 1656 wrote to memory of 2044	1656	playver.exe	29
PID 1656 wrote to memory of 2044	1656	playver.exe	29
PID 1368 wrote to memory of 2184	1368	a6c2d5553cb710e97d87d10991fdfd1a_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2184	1368	a6c2d5553cb710e97d87d10991fdfd1a_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2184	1368	a6c2d5553cb710e97d87d10991fdfd1a_JaffaCakes118.exe	30
PID 1368 wrote to memory of 2184	1368	a6c2d5553cb710e97d87d10991fdfd1a_JaffaCakes118.exe	30
PID 2044 wrote to memory of 2936	2044	IEXPLORE.EXE	32
PID 2044 wrote to memory of 2936	2044	IEXPLORE.EXE	32
PID 2044 wrote to memory of 2936	2044	IEXPLORE.EXE	32
PID 2044 wrote to memory of 2192	2044	IEXPLORE.EXE	33
PID 2044 wrote to memory of 2192	2044	IEXPLORE.EXE	33
PID 2044 wrote to memory of 2192	2044	IEXPLORE.EXE	33
PID 2044 wrote to memory of 2192	2044	IEXPLORE.EXE	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a6c2d5553cb710e97d87d10991fdfd1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a6c2d5553cb710e97d87d10991fdfd1a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNDEL.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2184

C:\Windows\playver.exe
C:\Windows\playver.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2936
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2044 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
78b2b227e31bb00a08ac9e691c234b02

SHA1
1bc07b4bfda3556723d7ce0d2717db9dea3945be

SHA256
96fc6292f4bb42ecc23c2416ba7fbcee080c298ae59eb60618768efc143cf388

SHA512
41d86d64b773b18b2892f6b3dbb7323b94973507b8638c06e7a15573c6b167d246ba712613277ad39a167d0b04ff1dcc8315713d92da1ca60dce950ca3851b72

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34b74268224ffcda5d805fb792869622

SHA1
e6eadc1ab4413e01d2377d335f5626d73808996d

SHA256
da90ca8cc17647df7b0f05be64c0f220ab0dabea91cf508af667a925f275a2ed

SHA512
cb39803f601291d3190a4183cf45f33aa9e381312aae876a36299f18681f72ab5a3edd3fc26838633fafe2ff361d31e14984f7141502be72ac401d9138ca605f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a518f78e2a7d91b89e3f1235b1555a7e

SHA1
3185ce33b17b703f94da2ab58d2dfda2fc2c2925

SHA256
8906f14e57c4d34c4f928e759f2aae2af6dcabb33113e690e544b0abd7dec364

SHA512
07b060291b9858d0dc7dd3938aacfca740a1e5fed51133e712033ce046ddf9046a97c517d21db765c8e2b8d721770b43e893a61edac021240d55ebe68083bdcf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa7d1b05d0eaf0f067845c9b9c418388

SHA1
b9c46920ab59a94badbac63bb68fbaad744a7f1b

SHA256
d4f72ba361fd8ea8e473dd2cea18b7b08d10b1c35293b59791981ca5f1123b1b

SHA512
17ae547345930151e07c5ea77ab5197bd1b1022c5abe62cb77e823e5f92f25c4f9edbaf4fd27a1c2903de5b3b00ba8abf4b7b52f222470fd8066af5f81fd55ff

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
162746dabdc5627da84369ca4a131d3d

SHA1
87a46b67508a86d3d6f01ab2a9ad879d730dd59e

SHA256
84e0a3848c2024b642d700c25bcb69cbd64ec1c0c6bcc0be7e181ff8bb472afc

SHA512
260289988438543b1031442e4c0d24f22113e131128ea8f334870745d76efe0b7c687dcc1ca94c7d3c84d79fe7849c83cf32f8a613d97ccc95a5bc7ecc2a9ba4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e591c024d52f227b8d0d09ba36f5573c

SHA1
c76e1a30f641d184ce55fb29609a23ef719a7692

SHA256
4c8cec2b33b0a1e5a82c9eeb754d795b7d99ae12df6a9455f8f09a1afa3a16b0

SHA512
6c5bb263e4e7672b7e43bb891f9c4e05c1c1f629c9cb064bc2f2214f75bf0ec3e42d3ef1efcd73b72b329422db2138d5c325f831faf3ad3632ab7ffa681afa6a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55abeecab06bed38a682d0fd905cd74e

SHA1
3a416ab386cd3e13b54509afc7825cd12a66c086

SHA256
4a5c1e467a592e2fe29f6a18dc2ed02c6a3c17b7c6b0ce1e8afa386f82dc04f4

SHA512
84c848b4449525f71830e1d3c90e37bbe20e60de30d5ceb4cff58b63c276480de3dee260f306145e9b0760a17f59e0302d2757aa6c043dc39d8a1e4aa40a9dc1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79a69206916993606eaccb826a8de502

SHA1
697e8340c3e7f688b1b2034c66614da6da55678d

SHA256
b7bade5b0a1ce847e185528f052882c4da42f2017add002b1ff88baad7a7b023

SHA512
c3e2ea8663560e0b347e9b9651364d02ccf0f53ff21efdffdd9d7d37efe85a915cd30b3c43717383ec106b7f99f8c75ab4970700106eb31c574c3f7b8624cf44

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87a545253cc267d01908e3318f43c582

SHA1
d8fa6d17f88c15134ef606ed95e035895f72237c

SHA256
383a10589d10f2d5bc903fee2da647425b5da44a570e2f8d7534b51eaba128b8

SHA512
379e2c8f0363c2b09a26d2924db82f8d0de9ebd11b94b4fb81b70eb0a980006c77d44e8a503ce247a7aa760602cee0bc57c2e289c913c3a0ff22c7e2269a0a43

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0981cc1cb808102fa79fbb6166ec0c46

SHA1
5e9825bebd7af2f687418847a8e8d4374657b701

SHA256
abb94c121d5dac3bc848957cedcfa84e9ea74083082c1214b5c338bd88d566f2

SHA512
77d63ef118079966d655ec48bb909314d8e001d24fa37edea20e94227b4d4aa160c281a553a2c2c0c12b67697a26fe3c71eb251b2e43b781a92dd2b355cb03f8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
671fbc16b864cca1768858876c4f2a16

SHA1
d876f4feb3701b9df388ec156a7dbf56afd5ad11

SHA256
86e1954393be04ea9cf5b1279fba566a7e83148cf2dedda54eebbb6cd5c11175

SHA512
877b9e980faaeb8ff3b90e946790331ca26863a03e680b3fdcd8e9cd1f20c44d87dfaaeb23137c80f977d310288cb5117da3cdf0f3c76ecd1e11c0ab0e1e5bea

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc9c01f52e5f8e5cfed3e40e61877d65

SHA1
40351f99fc0ed863cbd7299a24b9f8d3914a7fdd

SHA256
6231021b8e8c5d636c024b26aafbbdde2d5f8275592bd4d940ae8e6d40affecf

SHA512
c7a3a4a846b93a3a0f84c62ff0e1fb716d9f9826a8256ad61ff6021553e4b518b62e22ac8cdca918abfc79ca611ac1686c2c550d045391360ae79dab096448e2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10866c3c618a1586f06401bd42be7c3e

SHA1
3eabe7ac7cf7d36c60f0cf304f21af841a732914

SHA256
eaf392944f23fcda0561031a47b4570e5380b7411e6eff3d2ae3eac2c3b9358b

SHA512
a1f882c7ccb43437bc14b621d8d0d59d37ca3255910e3f207eb3054d028aa785664340dc83f72d39f8278f0867592a87122a1344717453f94a3a6121e193b2ca

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74745c38a44dc64086c657b96aba7b2a

SHA1
3af96140966f9005d7784bb4500aff1fb165d3f6

SHA256
b04630fb10e92e24f062ce71d85b03e558bd6c197345e87d04d313507d54546d

SHA512
8e3d8cd448cf97bbadaafd13a89fedaf783735758d65672d0fb99eb199740a1a72cbc1d5c06721ceb8f62c70cbbe3e4cf8c13d59ffd93eb8e11a9b158cc7222e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5305782755207475cd2f93d1c6da5d5

SHA1
e6958d9c2d48bb0e3c50875e5423e1d79df01c31

SHA256
c0460aac0685461535dfa5241151d45f58b038fdc1ab3edb29a783c1521e0b5c

SHA512
347104578b17915033fb89611ad0b0213681d2b1a8b84848310550188bb6c809b4f56c84846068593f9ea184d54711ee8e7c7613e921feca258ee491f1f9e324

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20b5544157f955e43ca9db4a86b154a6

SHA1
a94c0993e4c6f6c8c83e0a8b44a5a3e7e2d2babe

SHA256
ecbd40ea7f6c40072b3bfa2803fbf29c1a9aaa299efc173256be54741ea152ac

SHA512
353bf2ec7e86fe6589e7c7d7bd798b1c73b7931b15cf7320cdd4fbcd9f5c74517f9e8b0eca6d85ca4c93ed4e89a51ab2c203c289bb431d8f7603042b088dcd84

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2bc24fe1901e70684ff5e1872411ca2

SHA1
e04a26719b22602311aab21b4f041c747b7a0f64

SHA256
054feafc0fb535519d6e376f7193ae27d60686bd271b2bafb8e1ef419cce0871

SHA512
d73056f5e5fbe5c3e9c2e5e51375be0652bad54a335e1517096185473dfdecc7e0ae8f8d4c4019caae5daca0f132a88a75300308f01d6c00bba86ddaf5f3efc8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09385ef3769c41223c6c7126093480a8

SHA1
6095e675a2c11f2d2ae4539fe56ca15fd429bb5c

SHA256
dbf927287d8f097988659d8e9d3794e373b905a5cefb7d30a4f5f17ced0fdd7a

SHA512
5ab0f7d946f8fcf0de440f07deb17daf4f2c2de421f8fa0c5793d3e58a1fca53c0489e2a76887052b3070be4c5986baef9e7cb5618bf8880f33395bb9dcdfabc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67d42f3463061b9b562e47e02f1a2b3e

SHA1
085b2c19a01ad1ae92bf60e07d38add517206dd6

SHA256
c02ea9009746aab5f5a8df6a956dd164b9bb6519ea4316ac875a21034ce5b6cc

SHA512
c1da7cb0e1a356d978fc41323b10f8376b1db37b8c1c864cc2b6a4a67da358d3142026300cb5f19cc826dcc5740df39f027f095e600302f05237edde87feab33

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d635d433926d520eb0a7f944693fe2de

SHA1
c0d727a24b2e0f257c3f6c48c843845887ab9b0e

SHA256
3a4185ffb46aaea9e8344c2ebf608e62c8ad362d5d68c10bbd322442dc2d364e

SHA512
48f00937c121fb47dae306cca12768b26b517893b84657402e2864ad7dfd1be6ae5209ac9f7ddf429ee2e20c5245408f6733d5e8a2e856473c740a750446875b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c39461372358ba67d76f46f2580ed75

SHA1
98ee4c40ee23dcb24842fb31c76642a97ddd9747

SHA256
1a5835e19f2d6a121fefc85e198027cdbbe4cfbcd147234cb3b337ee1275baa2

SHA512
2f82b395743c90d1196cfb750c55ef4580decb278bf7f2f69c7d6263ff35505df6542adbfd3db2b640611874fee9abdf91ca5c0e8ac0cceafb7315a4df582432

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
197680e5a67a168cb1ac9ab8faf9fba7

SHA1
c1501c4ad20aa1bf0e4331d7e1d8abb0e0a68cf5

SHA256
449867857b3890f1edaf191e42a61fa7bfed2b56c1cd31007abbbe34dbcae471

SHA512
a286d781ff2d52b1a209d4bef41f7ef8e587389b58e157bb3e99d10b1df6baec1a94e713b07a2d41e5786f21a1c2f4e95f8fb2bfa88765b16038cd6fce78abc2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
822610b318189bb13ae7d2cdb4e6d702

SHA1
7b4050ef8dd241500ec5cc939c71c1ef2428afcd

SHA256
60417d64a9a27e8bf100ce90924327fa8c4a93ad75ae4cb77998b338428204f3

SHA512
ad063098700414ac7b223ead49cd9adad76df59ec336fdf1a47be51f2e0375434fed05d639e3808f34c96097cb3c5cc83211699fc50300cdc2b7d2f9801b5ad4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
282B

MD5
dd74e2fe22d5594e137db16b476dba8a

SHA1
ea87306a8488f58b874ed91af4367a613b996da1

SHA256
14ce9784828edd441bdad1eb1933bc9140e134aa08cc25af0983008ed273b3c7

SHA512
22ddb320e5218f831a0056443c530cb14ae9838dbaf19f5a96067ccab63fb2cc8b6ce5b1e5197759721bd6bee2d2f9067236d44e377c14859da756f013139089

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabA1E0.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarA1E3.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarA301.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\UNDEL.BAT

Filesize
218B

MD5
7aa4d21266be4ddd674cca9739a524f0

SHA1
474bdaa840b7f8b5fdb91f256c387e97328d1448

SHA256
2f78a1c040b5d62e5d3b2f3bb63ba1161c356646244bc7beba05851409fdcdb8

SHA512
7706f7fc714eb934aa57ee219d22bf4d578805ca5960292eb3958eab8f20846ac3beca7a3ef435813345f3649469880686677a791fe183ba0bd2e7ed2312bc78

Download Submit
C:\Windows\playserver.DLL

Filesize
577KB

MD5
69b17c7f728b2b20760d0ee59fdbdfda

SHA1
132bdac7467f99cbc3c2dababa9f2bdbfebbe0ac

SHA256
7cddd8e6c6bb75c5b4556cda63726bcd8f2383b698c9745bffe596175bbd2d4a

SHA512
e1306ef7c554957ab1f4537ab8702df791d92e55aeeca94259ef54d9bacc21bc0cb3226f3d2bba0f07e6212f6fce7165420dfce8bd31679274a503d697edf9b5

Download Submit
C:\Windows\playver.exe

Filesize
278KB

MD5
a6c2d5553cb710e97d87d10991fdfd1a

SHA1
6fe3c8c36ab67eb7ddb1505d25e8741f20d6b277

SHA256
070e5be02cdece70cce53208918393baaa11b330f4a766d05eadc8b652b3c7dc

SHA512
1b715a41aa7a9863d89b27d2c7fe554e8444f8b0c4a721713db093e7eb3f4070b0866462d0b0edf0e4ff8955c4a390bb716bc197a87f40f9635a456dcccbe1d1

Download Submit
memory/1368-0-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1368-13-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1368-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1656-704-0x00000000022D0000-0x0000000002367000-memory.dmp

Filesize
604KB

Download
memory/1656-653-0x00000000022D0000-0x0000000002367000-memory.dmp

Filesize
604KB

Download
memory/1656-679-0x000000007732F000-0x0000000077330000-memory.dmp

Filesize
4KB

Download
memory/1656-682-0x000000007732F000-0x0000000077330000-memory.dmp

Filesize
4KB

Download
memory/1656-4-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1656-703-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1656-681-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download