modiloader | a0594b8712e34f7041057acb34dac7fa53847f5f0fdcc040fe2c4f11ed6cff3c

Analysis

max time kernel
117s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe
Size

678KB
MD5

d743b5fd27a66e983ade5dade3979bf3
SHA1

0695d26b2180cbf0a6cb4c3a30a55bb5695609cc
SHA256

a0594b8712e34f7041057acb34dac7fa53847f5f0fdcc040fe2c4f11ed6cff3c
SHA512

17797fc504bbf0f8d669bab27fae88b3d0c2ab931ac89a6e6e95f0f15a13ef16d04ad410ce1df358ff68dea4c3135e8c1acac2abd9d9f3e3fc820877e85fd993
SSDEEP

12288:5MN02ezigQMqSorIZx/DuFY6Xg+R99uzvdwXF3Z4mxxMcYVayynAID2K7:5MN5Uowx/+YY9OSXQmXcXyR/

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/2532-58-0x0000000000400000-0x0000000000563000-memory.dmp	modiloader_stage2
behavioral1/memory/2276-56-0x0000000000400000-0x0000000000563000-memory.dmp	modiloader_stage2
behavioral1/memory/3016-55-0x0000000000060000-0x000000000010A000-memory.dmp	modiloader_stage2
behavioral1/memory/2564-54-0x0000000000400000-0x0000000000563000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2564	winhlp.exe
2532	winhlp.exe

Loads dropped DLL 2 IoCs

pid	Process
2276	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe
2276	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F97F1641-6F02-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F97F1643-6F02-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F97F164C-6F02-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F97F1641-6F02-11EF-AAD0-E29800E22076}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2532 set thread context of 3016	2532	winhlp.exe	32

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\winhlp.exe	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\winhlp.exe	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SetupWay.TXT	winhlp.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winhlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags = "1024"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e80709000100090017001a002d007900	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BA60822C-E19F-47B4-9712-7F33DCF809AB}\e6-13-a0-b4-39-bb	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e80709000100090017001a003000f10002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e80709000100090017001a0030008d0100000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BA60822C-E19F-47B4-9712-7F33DCF809AB}\WpadDecisionTime = 206cc6bd0f03db01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 208536bc0f03db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = c02334bc0f03db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000409e2abc0f03db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 203d30bf0f03db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-13-a0-b4-39-bb	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"	ie4uinit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 207a23bc0f03db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e80709000100090017001a003200cb03	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3016	IEXPLORE.EXE
3016	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE
2036	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2564	2276	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2564	2276	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2564	2276	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2564	2276	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe	30
PID 2276 wrote to memory of 3024	2276	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe	33
PID 2276 wrote to memory of 3024	2276	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe	33
PID 2276 wrote to memory of 3024	2276	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe	33
PID 2276 wrote to memory of 3024	2276	d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe	33
PID 2532 wrote to memory of 3016	2532	winhlp.exe	32
PID 2532 wrote to memory of 3016	2532	winhlp.exe	32
PID 2532 wrote to memory of 3016	2532	winhlp.exe	32
PID 2532 wrote to memory of 3016	2532	winhlp.exe	32
PID 2532 wrote to memory of 3016	2532	winhlp.exe	32
PID 3016 wrote to memory of 796	3016	IEXPLORE.EXE	34
PID 3016 wrote to memory of 796	3016	IEXPLORE.EXE	34
PID 3016 wrote to memory of 796	3016	IEXPLORE.EXE	34
PID 3016 wrote to memory of 2036	3016	IEXPLORE.EXE	36
PID 3016 wrote to memory of 2036	3016	IEXPLORE.EXE	36
PID 3016 wrote to memory of 2036	3016	IEXPLORE.EXE	36
PID 3016 wrote to memory of 2036	3016	IEXPLORE.EXE	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d743b5fd27a66e983ade5dade3979bf3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\winhlp.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\winhlp.exe"
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3024

C:\Program Files\Common Files\Microsoft Shared\MSINFO\winhlp.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\winhlp.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:796
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3016 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\DaverDel.bat

Filesize
212B

MD5
81018401d94d61a6b1c140b764b36d08

SHA1
76ed0b6f1fb5dcdd6d84a301477a3e4f8536d312

SHA256
da536526d3315d4833981c5155c70335e5aa5f93232ba6a676d03fdcb5f5e9de

SHA512
a38eeb853b88fbd1f53f7ae5f3dd641703209f99333e0a0f1738d0e7d7426bcde2c8f677ee94709631a13a754452f4425f75a5111b80d34c14c3631697a33e85

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f99d8a4b63017153c83908c9078c467c

SHA1
b839428c7d2abfd4fe96408675fb9b6fbc385c02

SHA256
162a18881c61d419b3b5af1fffb7a23623bb8e88dec5070033b46326e74ed971

SHA512
beb41f6f092b343d720b39a1735dbc750b966c4e16ab4584de2df41cbe33d8d5d0ba92199018ad0a77dfd6ef7536ecb1eb5ee3776541aaa5d44b2a416215e6af

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82a7b0d9056be8c25f4f922629e1c569

SHA1
6d10e6f51e62a6fa3248713732e664c025e059ea

SHA256
0614ed440d8fe18790cdd9907bab9ef44a37295631ba8e0001a72009e2f78e13

SHA512
134ab1592f663c71d96554a443427a3b5d8d6fc1bbd6393566c0fe3b361144fbbd09609e778e7370b0b0b8664205fe884f3c022f6ff95f578bafd655e2f29e86

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c7dfd77adefa10c05eb45114f7a99f6

SHA1
065c1a90821892a2ffeae7ebdd1cd6d770ede3e2

SHA256
32476fcbc76fd30f75b28044cf2423b191e42da1d85acd5a1da13693f2203714

SHA512
c7f278e39f011744d73ee78bf3e0eedaea4a2161db2858b2e7535171cd105c7bec34418b7c8d08b27df4b46b1bb3222cd6fc1b9e5fdaf0fbcb32856622f5ea2b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10c04f3c6d3d9b829775ea81a8126fe7

SHA1
dc771d3bb65a8a85b76593fab1592c1204e4f07f

SHA256
95ea3e3696eb94336765c24f2a804f39b6e8d4b8bdd369e303a24243e89e6ec4

SHA512
2103acac702c1df927242e851e7d7e1b2121f9ed74cb583fa694606c57b2b3f330af3eb504478c9afd3be9075a8135e2925a5f4081d853a624221974b71f0880

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c08b8f933b967f8857dd9c289a9f0cd

SHA1
1e0540a24b1723f5838e61c5162204bd86304b01

SHA256
565350228a65f3a34ec2e52a5d03c6b92b82aa3b651275fd40ebe779182b0453

SHA512
7f68e5c961795479f9037961983d6dbef36b2791dda63f73e1e3911ce5ece1bd15ec3978f9335b273b89956779eb7f72c8d2b8a21100d850018b25c1077b3f9d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9526553827042130e16f16fffe668b6b

SHA1
8ed47cd9599340ae2de2a18af004355fe7c9995b

SHA256
b95a4ee4d59f690dae7f4ed0a292fb14e32408796237dc4f6d74fd7f8b6cfbd1

SHA512
bc45e62a0b283e7bb8bf503007d44465e132ba725081cf0284d20c151d00d5651a588ba706fc737a6948f3c47ca15a64457401f43d820ed70c311c02ff95fb35

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69220e34bcec8ca32f05c7668e32d288

SHA1
61105d10ea0f9cc974716715f82d5eb1db17cce7

SHA256
879d2d1baca0dfebed5c25f70f54271a2098b9a5759123c9d5edd8d112d57dac

SHA512
997b66a17ba4845408797405494ba81252f4c83d5e17728255a68e3838b3f3a5f56464de9b4a702d494ffd02dda5ee1ed59f0159df65537152177305dd29f158

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
618d79b3f42b3fe258cec7000932369b

SHA1
bdf839bd132681fdf2fcc7920278072f6b3214e3

SHA256
f5dee2d8f63c7f9691e117bd83beee274ad7ad4d0f302e4d6520215484c64519

SHA512
faba0cce44a734cd323994ded28ec45a8f7218e45f33459b32fe45a75096d5656adbbebc9662e8cc4b449a165468391f0683a1d6dbf2715ee6535631bb0896f5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ac2e7b2f077a4f866af3d84e8e0ecfe

SHA1
f1b9c0c08dcf09c3ccc59af92de48faab97d48b6

SHA256
1b2069ef263918775707c1a70171f909aaf7845ef539d4ecf380965f55e84d4c

SHA512
3f26b6364c874729829803311f3f12f5511f6f1f3a589d45a771344731e15504e2a0c1576daffab3c117e5d8d81562e38e6ba756052b4d1960080645f5c788a8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1f5d4030e8079fbe3a1fb2c34afed45

SHA1
0d49f5fe7c129b4843a8d637b9557223c9559885

SHA256
1a08f9eae2bd5631647710320cf0b879a0e05a73d669d3ef558a7cb46bce5c31

SHA512
c6837b5996df1999cb86062f641ce60396ca21b90677b09b02d62cc743ebe5da007704a101f8d11dde6bae3b7c6f74d51464ff825e710c8cf57eae6df6ddb16d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5d70ef2dfc4aef9f0999b390283c5de

SHA1
52309b9d7a52ea427dbf4089a1ce41a567343afc

SHA256
057df89c9f3032085fe21c00c772aec5a054833234cd24a11c16c1c32c6ddb80

SHA512
2c8e188639bf9c6fc01dbddc3af19b57b1345cbfc722cbf95579a7c575a8f32e12e3630e4ecd06f56385f7f24eb530669b8a7e489ca7d6456262a27b7e233701

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de4425b1332e328f355940594c57feab

SHA1
9ea215b77552f4fc7c595c4a76dc9e02b53ab00c

SHA256
08d785d1b77873c4bf7b309181e605b666669c0584d04f792f677c863cd2b485

SHA512
e7df1cbbc07170849d013f9c82f29b18d8d00e889dbf488143cc5c3fa19775c5d80c8b1ac51f3511022a833f30de9b45fa075da76412dc013569fc29f9269631

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ded403c8b4b170a0468bfd9ed9066409

SHA1
b17396554e9f96bafbca910dc7f9fbcec63027f2

SHA256
6d341ddead1c5a47e0f28d5d987466f50e88a65441be60608d06a0e954e4cf16

SHA512
9e076eab7a7ee09a2ec4d5d7c95e630ea53c092ecfca9f3ffb079441700396f7c1faa49f8af2f7a016616cf9eb90d9919a233395ed4d82eb5c7149dc0c048b3c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ea4304c52f78e6eb233db77fd9c4ec1

SHA1
aa3ccf75237bfcf0588ae1356bb80653f8bd1269

SHA256
ea27ac5dc6e7566e8c87459aa0b8d30ec6387e699da3468c6187b756e77a19e2

SHA512
f7d0003c98aed30df36460fe0324f4c18dd0bf2c96d0cb0f4e14511214b0a550962587f23176cf1a28dc4cfc239f9a15ad31ff6609e44631383f228963ea5505

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b8636e63580fd6de08d3e29c26173a2

SHA1
bfe34741c0b0af1ecc78560e353654c2e36f4c94

SHA256
77a7dd42f66b7520c98d5c5151a679302475e04957897621af5902380782ad1b

SHA512
0ed63a646167c6a23e9c5d5a7414570d6c3b31f78afdd7ae0c0abaf9ac3f47fec3bd3b17002ea9e2a88d9e2d005b1724c40b49396a073a545ee720487ab30e05

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bec6911bca1f577fc32ab253f46d2f5

SHA1
02d3a7a59dd3b45fcd0b37f85fbe8b14f0d259dc

SHA256
527119629c1ec060b2201abe701603f6917fae2786369996623b8d190a9304af

SHA512
115772c30b401ebb5913faa238bc25b484e562c69ef9bcfa619cdb74742a0ffcc421ee31f9f23631e702c31443f5b9a67f9efc24ddb45c574af8a9d2d234fbef

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b26bf3667a44e784705130fda861688d

SHA1
45a297ec0197bb9c75198ca61f9d37b9ec1c4377

SHA256
e55db93c55e8d76dd2894f809034ac79809ca12ee4cee1ee6053b84e56e9d3a6

SHA512
583ae7a578692d1c001e1943e7015d8a2db83f48253f262f19b6dbde54a22a2b3c5bad0a088ce7353566efe1557349c75574be47c327d0c230b6602b5e6d18be

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3251ee911bc298e7e87fa2f90e911ea7

SHA1
ea3e5d96e07dfe56106bec43be31be871c8db0f2

SHA256
61e3eb8d6a5ba9061eb185e0e2f779cd3ef97162ef18d87f67f2b85fe8d9bf6e

SHA512
0883c93bb88507f2d32a03972e99e19b2f8642300f3a3c2ce2163b1d1aaf8033d085850d85f2c66e5e0b855d20d6ea7ad7ec1af378faa495ade3e76e4f4d88f1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
277138fcaf3db39cb84ca12e951d54e6

SHA1
63aa32f896ac82805706d80f8659f4a7cce4ce20

SHA256
56e7dd77c197389f36efdaccf6f7bc3af10f792f8b25b4cdf5a2b80632fceb83

SHA512
4fb7bc1d13ab7ca94c15de3728d07cf64e226f1eb7cccf81f363211d1137213ffcc8d5ad1463e7fb692a70981aa807105e85a07233dfd47d209d19d95b10499a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98b83e88de440984909aa819565b2bf0

SHA1
7a59a93d2c5fe5c89f3d06c473587bad7310d979

SHA256
484e18c83c33c329aa5718cf18736730b14ed1fdbf6bf99b4bf9f9071848e437

SHA512
2373bc3c8a2062b887f947eb95404fd091322ba26e4c6be17f65140e2f72a67f8f69138de45b8248de5f4c62ebdeb21be7615a27c887a8b56a4576f0b4c18693

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
2cc164f7edff9e5dbba4fda3f4c3005c

SHA1
db4724ccd264166668be18bbdaa97948df0a6f8b

SHA256
e9eaa743619bd9b274886f11865db377922304b70b90b6b9c2f3cc41c20d8ce7

SHA512
e9e27709e9c1596fad4f2df2ac52553873620e99f70f97261f2488d7226bb0c4b419fd4f9e723389fa8b4e79cad67e1b43ea12f1497ec6768f7b6936106329d3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab70A.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar70B.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar8E5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwFB7E.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\winhlp.exe

Filesize
678KB

MD5
d743b5fd27a66e983ade5dade3979bf3

SHA1
0695d26b2180cbf0a6cb4c3a30a55bb5695609cc

SHA256
a0594b8712e34f7041057acb34dac7fa53847f5f0fdcc040fe2c4f11ed6cff3c

SHA512
17797fc504bbf0f8d669bab27fae88b3d0c2ab931ac89a6e6e95f0f15a13ef16d04ad410ce1df358ff68dea4c3135e8c1acac2abd9d9f3e3fc820877e85fd993

Download Submit
memory/2276-19-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2276-20-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2276-1-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2276-2-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2276-12-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2276-42-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2276-17-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2276-37-0x00000000034C0000-0x0000000003623000-memory.dmp

Filesize
1.4MB

Download
memory/2276-38-0x0000000000280000-0x00000000002D4000-memory.dmp

Filesize
336KB

Download
memory/2276-16-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2276-36-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2276-18-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2276-21-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2276-22-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2276-23-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2276-24-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2276-25-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2276-26-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2276-27-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2276-56-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2276-0-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2276-3-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/2276-4-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/2276-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2276-6-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2276-7-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/2276-8-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/2276-9-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2276-10-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2276-11-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2276-13-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2276-14-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2276-15-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2532-43-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2532-58-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2564-40-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/2564-54-0x0000000000400000-0x0000000000563000-memory.dmp

Filesize
1.4MB

Download
memory/3016-55-0x0000000000060000-0x000000000010A000-memory.dmp

Filesize
680KB

Download