modiloader | 214dadbdb6e89cc9b1fdc78778ce6a63d2078e890db2cf6693cf036e83f931cb

Analysis

max time kernel
135s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/09/2024, 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d76da21878c2e088939476141a588a73_JaffaCakes118.exe
Size

690KB
MD5

d76da21878c2e088939476141a588a73
SHA1

48bdb8a79ddec98a7bf45c3649572e244e4f0dc5
SHA256

214dadbdb6e89cc9b1fdc78778ce6a63d2078e890db2cf6693cf036e83f931cb
SHA512

a05ddf59aa0f6419f8d588978e963eedbf37f53f884afc24547f8e8c4d1759c5fba2bf027cab3fb280300cad353f746930a006491f0629c26d83285fe9e823b3
SSDEEP

12288:WdtGgozqi5paO0lp9USQVUSyrkA4zZ6J+v5NdTgxWaSTA9:Wj2eas1USImazIwPuIaSTi

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 8 IoCs

resource	yara_rule
behavioral1/memory/2252-0-0x0000000000400000-0x00000000004B3200-memory.dmp	modiloader_stage2
behavioral1/files/0x0007000000012117-7.dat	modiloader_stage2
behavioral1/memory/2388-12-0x0000000000400000-0x00000000004B3200-memory.dmp	modiloader_stage2
behavioral1/memory/2252-10-0x0000000001F80000-0x0000000002034000-memory.dmp	modiloader_stage2
behavioral1/memory/2252-28-0x0000000000400000-0x00000000004B3200-memory.dmp	modiloader_stage2
behavioral1/memory/2108-27-0x0000000000400000-0x00000000004B3200-memory.dmp	modiloader_stage2
behavioral1/memory/2104-24-0x0000000000170000-0x000000000021A000-memory.dmp	modiloader_stage2
behavioral1/memory/2388-23-0x0000000000400000-0x00000000004B3200-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2388	rejoice08.exe
2108	rejoice08.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	d76da21878c2e088939476141a588a73_JaffaCakes118.exe
2252	d76da21878c2e088939476141a588a73_JaffaCakes118.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8A71475C-6F16-11EF-B36A-E62D5E492327}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8A714751-6F16-11EF-B36A-E62D5E492327}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{8A714753-6F16-11EF-B36A-E62D5E492327}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{8A714751-6F16-11EF-B36A-E62D5E492327}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2108 set thread context of 2104	2108	rejoice08.exe	32

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe	d76da21878c2e088939476141a588a73_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe	d76da21878c2e088939476141a588a73_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat	d76da21878c2e088939476141a588a73_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SetupWay.TXT	rejoice08.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d76da21878c2e088939476141a588a73_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rejoice08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807090002000a0001002e003700760000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004299b8458e2f0a4bac79ca04b75dbed10000000002000000000010660000000100002000000073fe6f90a4bf4caf367d048755f7b9ae38ae9433bdb25a7db7f0331d0303db5f000000000e800000000200002000000076d81383396a8c886a242380e8cd83c2a4f02281d10ffedb2045e8cb5b26ad0050000000b576d8878ba3f7ceba8b57e510af268c7197d12a237b96fc44536bde941f88f4fa7ec8a2798f9eb010285d36577f0e7ce6eb6e5e3c3e2c4169510b6b8ff11bc3ba6987e3e2f84955dbe775485600d468400000008fc4e1d5dfa0d6136c805c35c1db8bec259efba247d1194abe567c89b4791c0baa8ee431976aac69d78763319e5899bd6ab685491e8108bb9ea6d8d756dffdd5	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = f062074d2303db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807090002000a0001002e003000e202	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = f062074d2303db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-53-e1-5b-f7-56	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-53-e1-5b-f7-56\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000b01af94c2303db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2104	IEXPLORE.EXE
2104	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE
1924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 2388	2252	d76da21878c2e088939476141a588a73_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2388	2252	d76da21878c2e088939476141a588a73_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2388	2252	d76da21878c2e088939476141a588a73_JaffaCakes118.exe	30
PID 2252 wrote to memory of 2388	2252	d76da21878c2e088939476141a588a73_JaffaCakes118.exe	30
PID 2108 wrote to memory of 2104	2108	rejoice08.exe	32
PID 2108 wrote to memory of 2104	2108	rejoice08.exe	32
PID 2108 wrote to memory of 2104	2108	rejoice08.exe	32
PID 2108 wrote to memory of 2104	2108	rejoice08.exe	32
PID 2108 wrote to memory of 2104	2108	rejoice08.exe	32
PID 2252 wrote to memory of 2908	2252	d76da21878c2e088939476141a588a73_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2908	2252	d76da21878c2e088939476141a588a73_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2908	2252	d76da21878c2e088939476141a588a73_JaffaCakes118.exe	33
PID 2252 wrote to memory of 2908	2252	d76da21878c2e088939476141a588a73_JaffaCakes118.exe	33
PID 2104 wrote to memory of 2064	2104	IEXPLORE.EXE	34
PID 2104 wrote to memory of 2064	2104	IEXPLORE.EXE	34
PID 2104 wrote to memory of 2064	2104	IEXPLORE.EXE	34
PID 2104 wrote to memory of 1924	2104	IEXPLORE.EXE	36
PID 2104 wrote to memory of 1924	2104	IEXPLORE.EXE	36
PID 2104 wrote to memory of 1924	2104	IEXPLORE.EXE	36
PID 2104 wrote to memory of 1924	2104	IEXPLORE.EXE	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d76da21878c2e088939476141a588a73_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d76da21878c2e088939476141a588a73_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe"
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2908

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2064
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\DaverDel.bat

Filesize
212B

MD5
27f608a9e6cd73abdef0d3a9d05d3f69

SHA1
ba3ec6fe59e1b6510dfece85110b9f8075efac71

SHA256
2935f50d6594ac120499c0aa30d4ed8460ea6d48a94c87dfdccaf7d2f0e9893e

SHA512
55725d130babe1e9692d0d93ee65b4e8391ff3c55f8b85afbac408554d3528b58efee74e39bbc9485b88384383b872323560d7ecd609e273806ca53239f67002

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice08.exe

Filesize
690KB

MD5
d76da21878c2e088939476141a588a73

SHA1
48bdb8a79ddec98a7bf45c3649572e244e4f0dc5

SHA256
214dadbdb6e89cc9b1fdc78778ce6a63d2078e890db2cf6693cf036e83f931cb

SHA512
a05ddf59aa0f6419f8d588978e963eedbf37f53f884afc24547f8e8c4d1759c5fba2bf027cab3fb280300cad353f746930a006491f0629c26d83285fe9e823b3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f09ea5359f76414bc9b03ab79b511407

SHA1
6b4386cc0f3a2f37ced3547b1efc227de8b28ee6

SHA256
d6803c386ef174532953861b0eea193f74ba54517bc8eec17dfc86a867d26df7

SHA512
fb2f8580b240ef0491a72a84719215eb3b653a37bda5d180f3e38a1b0abe854cd3189ae982616589e503d27dcd8b3fb446ee77fe3a441a3239276dd8464574b2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8f638ea09f9298d6b907a8bb71f0c95

SHA1
12c49e70d13ec1214b634c9459adfa3dfcef9e47

SHA256
72f004f58aece718bb755fab2f8305ca97332ad1f3cd4e5b8790ff11a620508b

SHA512
8a5d8216b4be13d4c7b473066fd4ad56845d3f4a228e182eaca65ce73f2e3fcdc6c999e24aa0d4494f398c3741c485efdbbfef96c17e66b26e1537f9c6c9ceb6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54f6c396311bc9ef5b89d8332cd3a078

SHA1
e4d0262ea68a5f26690bdc2147e7cd698b299d0e

SHA256
57451e89e225ef70c563c7344c8e917c6e56a9382c0ebf83c91fda1eaf57410c

SHA512
0056c7ba7a179a39f445c0250a2944d4532db3f49640bee4d0503228154561cd6b2e8acf5a603ec2bd1e52fe6fe6a6e710d207089cae57306faeb6027f8e7f71

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f63ab3f79cce13eeec13479311f5852

SHA1
c275258c58de44919572351ff062ad9f092a48c2

SHA256
ab2d020e2a5468bc4000f87ffa286d682437beef9cb35eb4e28cdb18e2f58110

SHA512
f81f22410918680d1189f8d39d213fdd410d19d0202c2251a8bfd93732be5d7bf72e5f4d9b81110a42cac4a54443ed730c0fed16135856271c3b0c10ba2ef2f0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49656b23ff65ac743c79b2ecaaa34799

SHA1
bdbc451edb3489621933c988cb0ab5850272d07d

SHA256
7cb63cf16f20abdabbba6d5076940b53abed43822c30fbe3e73be8a46c2a9f87

SHA512
587d56a4f802c2dbcdf46a25657267da782e7367c507ebf3da0f78db0144fb84cc14b309a9f74d1a31fd6a020d324b17568a75305c4af1d0919d673204c5a68a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d50bd19b027546bd73ee164699ed242e

SHA1
b5a6964036a0873a354874c398e9d600e69bf3a7

SHA256
326a2b231d03bcc8fac60eb657afcafccaa046c377cec0212905c08db7d3e05e

SHA512
33d12c3cd3d8c547edc7418521772be5dfcddebc666c78f11abeb73ede65091a9565a235952eff682a82356afa6249cdcb70928b2ded6226926eac44abf68b0a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f157a78aaacb97180741ee7f3bbb65f9

SHA1
6044ddeb446781a007bac2e914b88393c4ba0c11

SHA256
13c0ab97ccbec697138c3c282d04f07d59dbe7a4270c68ab75fb63efa9ff9e76

SHA512
b5beb7706ebc997756f00a0135c6e199d6a8d298f4d9d022bafb0bd021b76cdde6a722b8d44a38fa03c33d250ed22066fcf8be0a8e39ea110b2ec1f272a38f1e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e266597d0913d3b7e67007f6cbe59e77

SHA1
6374d4c81482019e8c1013fe9c293d17fb8caf12

SHA256
e26feab3f08885de7156b3222febc87d2358cb5354b96bf9c5047e46f7064ad0

SHA512
3fd01503917986f3736ec3af8bceee8d7e21aa470ef565483dbb7e982b32a220a33585ecaaf6ee88c77b9f3a4f98d631c50a10713c5ebb0a6d3890adddaeb0b6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bda1b1af043569504d31587268e976d8

SHA1
fe9aad34cecf50ee4e371a94a975bd930993e4a0

SHA256
23eec310b12f20f3a615487c665d5678f339def6fc2b51cee9d97d88822042fc

SHA512
94383c4dcb1644d67cecf58e4f8acc315e79868b83d7b6f65e7bf4ea4f95fbeaf6f83c9f55c166d46ac8627b1ee266801ed44b8e34a1b635c3ea7506f7c2bc4b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b24a2c97d8b3c360a5b0e56aa05f9a0

SHA1
6c7fbb96cc188fe8c2b18e4948413b01e8bf7b49

SHA256
25083911e5d462bd56c97c61af72285aef2cab5699a1fd1179b28c5aacbfe977

SHA512
34a9484239ce0e6a3d1caee4de0aa1feac92b44ef933996530815b5aefd53807fc5227ad31f6a5b4bfb65d1d4519142138d7f92c93f850ecde17db569f02e88a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
829d7217fee5a422f2744cf399679db1

SHA1
5c89dedc44a53cc90919db1b200f96696d9654b2

SHA256
f8ef691d6a8b7fdb003f5de51e48316e7fcbb77865ba90e3021f5a1825039ab1

SHA512
7ebeacd85d084d0c85bf36100036b408f13cc135ca750c03edeaa0e6eb44eac55d7fa0753be47e2ed83e1f424727f020b729d831c79c505065ce51a724480916

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
182581a95af68110856e5b19a28c75be

SHA1
d9a05dee97b219e56398d58e974232ce24c2341f

SHA256
7eb6c7e27c354de73df8bee7abce267c9649979a187117f9b9a6385d9fb6763b

SHA512
690667b49461955ca202e746651f52f969423ee48d6fd724a6193db274612b7e4d98fc4773b56a39ae46d86f2c01f2e2c58b809b5f85f167cf1f400f91235f37

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ba3d5c83b82d30f49259b01337e0ca8

SHA1
1dd5fc60a3680a33a634a0bb4cbedd7015757c26

SHA256
b34ac63cc2aececbe87b3690d7318e9c5cd6dedff1480f95e947484ea4e73a12

SHA512
dc21db03e93d53d65796f089f9950d0c73abd60d7e696beac0fe02695a3cf2607c2be711880573ce06e6b4ddae31c0b373cc4996109232555aaa9d3764cb3f58

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a9091ba3be671135a7e0eca2e201ca3

SHA1
0b23e0d8fc1f7cded29215ccef9270e82a691f94

SHA256
5a3635f641e94648c6b5040cfa4cf5e33e84e7304577fe41fec390ecc5260ae0

SHA512
9aec4c7eb7ed7d7b148e478741a797fc76c34e05df9e09fad22a63b654c23ea545baf7c4e78443187b59cee1ea6db71e8dd567897202d3e047b18acbf396424f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59966321c6d323ab863c295a709b3615

SHA1
41d415a7f9dd75c3d91b98efc8b93f3f346039e1

SHA256
b4cfbc62ee56dc08c6028a534091faab9a5a6a226042a8f5c17ded23eae7ed88

SHA512
f9bb05d55088227a380047705a7912713afa319ff8c8d79a54ae97c1d2b6be85730c78ff1aa63fa0b94c7da7c41919bb6dc9a6c65dc07b2d966a93554bc1c5c6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d599e89801ae42a0b3bacd6f772342d

SHA1
dfa220ce41a64957eeafb15310c84c56cb2a8d75

SHA256
060c944cf19c04fcba6ad4109c75a486528cab48e4b3cb1bb78ef28ce39485a9

SHA512
ac2c06136345a2c582bb11fa76b0e8a1c9df31f516e739cb22632669a31465e7c52704d5cd066a21a427194f4ad92e76da5d7b60fe01e51905ee5bb0277a5d21

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1d33729e29e361d5e09a02a165e364a

SHA1
a796b08c9d57cd938bf2594c4220483fbf876b58

SHA256
21c8886f8ce4ea9ecd8f67f36edd14dfe4a9c491b89e58f6625efeae50ac0062

SHA512
70c874a423194022137015c37f833e7701ed49eaf1826821c8963ddd79cbeb1e59c4f41ea91e4acace756325407b3c214a30155051d9d1d7139920ed8e7ab168

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26c2adc8550c1b1af7b40117549992da

SHA1
940cc6553ed36411144c52ce5b721575a07e3507

SHA256
fd1a42f7864977c6166ccd2b02e34534899086ddbe9d7b0a04882b6d7aa5ef17

SHA512
2d90de8775c6a7a50c964aa9751b12736cf96f7015802794e08d5bdcdf6630d23245424cfa20868aab42980f2eaa5525bf883e10b49cc5d6dcb2f683e777f203

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
689fc9ed2cc5527ac6325a400ccead07

SHA1
e6921e5c2294d99183cda887003b156679be30b2

SHA256
04d5aadd3aa95d4d8c207058e7f5ca4cc90fdf3ef76418bfd686a24d8ba5ba83

SHA512
9ad9dd7e2d3a936abb2f0d4df1853f9bf0266b057610c914e99e5f9f1de0b897f04afe02724f3e416632ff4f35305bfcdea289ad5006af0f47066753a801513a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e81f09c494d3bf2f9237f9be81233354

SHA1
f4af015db2291ffe998d1270b3541cfe23515700

SHA256
2a265bdf9a91f3f3175cb0114e8a0ae16e04426dd898f608b9c90c72feb07bdc

SHA512
deb5f825d2b96dc36105ab99ff4046e9d060c7760e0096d2be37a169a294425934af45373a016cd59e647b7f0887136a153951e45e3395a07a71f7453034b6d2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b3a19c616834f099f311f8ca48889b71

SHA1
695893b3e01229459ff126ec07834787560ced41

SHA256
d0d3bd374caa482c2758a013b37305dd83a36db32ce441210325baddc16b3117

SHA512
ba3bec99e061c95075bd5b47f89506e32c36bd56da53bc22d24ab486c122e4ab50e0190bc16b19c5d41414e153a6b6e96f8105a61ad54039123f60d757147d2f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabD196.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarD1A9.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarD345.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwC67A.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwC67B.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/2104-24-0x0000000000170000-0x000000000021A000-memory.dmp

Filesize
680KB

Download
memory/2108-27-0x0000000000400000-0x00000000004B3200-memory.dmp

Filesize
716KB

Download
memory/2252-0-0x0000000000400000-0x00000000004B3200-memory.dmp

Filesize
716KB

Download
memory/2252-28-0x0000000000400000-0x00000000004B3200-memory.dmp

Filesize
716KB

Download
memory/2252-10-0x0000000001F80000-0x0000000002034000-memory.dmp

Filesize
720KB

Download
memory/2252-11-0x0000000001F80000-0x0000000002034000-memory.dmp

Filesize
720KB

Download
memory/2388-23-0x0000000000400000-0x00000000004B3200-memory.dmp

Filesize
716KB

Download
memory/2388-12-0x0000000000400000-0x00000000004B3200-memory.dmp

Filesize
716KB

Download