modiloader | 62defdd68cd73b06364ce453c37c1a6523848f660fcb04cd40b47f9218e52420

Analysis

max time kernel
117s
max time network
128s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-09-2024 14:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe
Size

328KB
MD5

e712cfcde0da6e1fd8b5bf7dd5d5c805
SHA1

1e0ed37f52b5f1c28187e64d893f0d27fe3c04ec
SHA256

62defdd68cd73b06364ce453c37c1a6523848f660fcb04cd40b47f9218e52420
SHA512

ef263be24b9b3b2cd069830a3df9833e4ff7d41d1a543535690ed76a5e6f60f816c8dd7a6148638dd92c4683c4367d92917ff7e19f79d377848af93a62c0680f
SSDEEP

6144:UvSdpSrgpHnaZa4SmVbloxSaHva8rOpsjp86w1AgvP8hMfUKf8p:UvSS8Sa4vrZajlZwBPbQ

Score

10^/10

modiloader discovery trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/memory/2488-11-0x0000000000400000-0x00000000004B7000-memory.dmp	modiloader_stage2
behavioral1/memory/2488-22-0x0000000000400000-0x00000000004B7000-memory.dmp	modiloader_stage2
behavioral1/memory/2952-25-0x0000000000400000-0x00000000004B7000-memory.dmp	modiloader_stage2
behavioral1/memory/1864-27-0x0000000000400000-0x00000000004B7000-memory.dmp	modiloader_stage2
behavioral1/memory/3020-23-0x00000000001D0000-0x000000000027A000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
1416	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2488	Se008.exe
2952	Se008.exe

Loads dropped DLL 2 IoCs

pid	Process
1864	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe
1864	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1864-0-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/files/0x000b0000000120dc-7.dat	upx
behavioral1/memory/2488-11-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2488-22-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2952-25-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/1864-27-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3A44B3D1-7505-11EF-8BF0-428107983482}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3A44B3D1-7505-11EF-8BF0-428107983482}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3A44B3D3-7505-11EF-8BF0-428107983482}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{3A44B3DC-7505-11EF-8BF0-428107983482}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 3020	2952	Se008.exe	32

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se008.exe	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se008.exe	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SetupWay.TXT	Se008.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Se008.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070900020011000e003a000600090100000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = 309df2fc1109db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFAD4DEF-FC11-475D-B15C-9DECCBDEEC81}\1a-29-59-a0-ec-09	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070900020011000e003a000200700300000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070900020011000e0039003b00e902	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{FA518BE2-9408-4693-AA84-C9A25DE775B4}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Flags = "512"	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3020	IEXPLORE.EXE
3020	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 2488	1864	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2488	1864	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2488	1864	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2488	1864	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe	30
PID 2952 wrote to memory of 3020	2952	Se008.exe	32
PID 2952 wrote to memory of 3020	2952	Se008.exe	32
PID 2952 wrote to memory of 3020	2952	Se008.exe	32
PID 2952 wrote to memory of 3020	2952	Se008.exe	32
PID 2952 wrote to memory of 3020	2952	Se008.exe	32
PID 1864 wrote to memory of 1416	1864	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe	33
PID 1864 wrote to memory of 1416	1864	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe	33
PID 1864 wrote to memory of 1416	1864	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe	33
PID 1864 wrote to memory of 1416	1864	e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe	33
PID 3020 wrote to memory of 2140	3020	IEXPLORE.EXE	34
PID 3020 wrote to memory of 2140	3020	IEXPLORE.EXE	34
PID 3020 wrote to memory of 2140	3020	IEXPLORE.EXE	34
PID 3020 wrote to memory of 2852	3020	IEXPLORE.EXE	36
PID 3020 wrote to memory of 2852	3020	IEXPLORE.EXE	36
PID 3020 wrote to memory of 2852	3020	IEXPLORE.EXE	36
PID 3020 wrote to memory of 2852	3020	IEXPLORE.EXE	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e712cfcde0da6e1fd8b5bf7dd5d5c805_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se008.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se008.exe"
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1416

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se008.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Se008.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    PID:2140
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3020 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\DaverDel.bat

Filesize
212B

MD5
39cf06d2bfaab66d510afffa11be4739

SHA1
8ad8a241e0502ed82fa21d70586537fc63bd63a4

SHA256
237f3ba7544466d2193e422f950d429834b26a5312764d80f3df2403b6a5a60a

SHA512
ac9adb8a2822e8aaba3f131e723babf11e258416a76a379fbd0fff859e72e0249fa825d5038107a78a2338777e6ae180b78ff56f225630d71aa8a1894d270188

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\Se008.exe

Filesize
328KB

MD5
e712cfcde0da6e1fd8b5bf7dd5d5c805

SHA1
1e0ed37f52b5f1c28187e64d893f0d27fe3c04ec

SHA256
62defdd68cd73b06364ce453c37c1a6523848f660fcb04cd40b47f9218e52420

SHA512
ef263be24b9b3b2cd069830a3df9833e4ff7d41d1a543535690ed76a5e6f60f816c8dd7a6148638dd92c4683c4367d92917ff7e19f79d377848af93a62c0680f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
b2ce7a0329a91e105fdd4ee8f544a455

SHA1
c31b37678227281c069124d4d2517441ce0e5310

SHA256
a572b75e423018d091b2f0505b2382074d5fcb214ddc5a0dc5affd00d5669238

SHA512
c4226bfbbdf46c5e62e0804394d93df4f43a197aeeb8f674a4daf8437138992485962c037b1bb805410f44aa6a6d7f50cf09ca1ffa2d6bec5539d55fa111625d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8465f244cc11807edd3024784da0ad13

SHA1
26cfbafec2e286b7792996b0a0d6ace092521ebc

SHA256
d7c02839d3ba7c40a19d2178de95c06de0cbb712158c56bd78ddd91f1135cc82

SHA512
c9f3d64a113ca2903bb9a3b8aaae6c9a746d1ef6f9e48a6682a2c432760c4d2990ec983645bcc879214f4c7486c569ea9c798a0afbef95ae3ea6077da93c415b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36c4ad52fe5064871834377c5589e70a

SHA1
b59f5a908555afbf37fb25832349784d86298a40

SHA256
abe61a5c3b631fd3132846f074cb85ba0b2d8b961deb4db2eadf2bf4d55c9008

SHA512
2aafaf41f8ee7c428aba51d42507e090390b789a2a47fc14edf80483b4605622978082396ef1d335ceeaf71c6892421a6400ce5995065af7f49269812bab77ff

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
165b780d2e1f701e2fb0263344e358bd

SHA1
20f9e0f596b442c2436648794438333d5fbe5887

SHA256
9ae583620b486fd8118f329d60aa30063ccaa8fd0d4574e56857cfddf1f45e06

SHA512
9e91aa5119e1cb9c148f59e82dc0c7abb65e92472e346567442cbe30c67c5e553c21489300f5090daa8b2f35ad0b64618fb736daad035c54e106be84e160ad33

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
636c999a8069c5c20fc585ae787a8372

SHA1
8ad5a128a83f8ea9eb2249f473a59ffe87e38770

SHA256
69aea3bcdea35b6cac5359167a6cacdfa1fd0fb1885f88a1ff73a5c578119c60

SHA512
c86b9e17f5f994ea13507a97124edcc202cd5569ad1a1cf03ad5fb2a40079b44d8fc0b05744349c85541c684c116ae140b26af4fe493f3233f21b63a749610e8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8686a5808f79abd40af7c924253eaa7b

SHA1
0ea3cb1d141798c721eab08f483fc9ae6971f5d8

SHA256
d135903a66f89c7a94c08b941babae9541b9477fc063b1b785b5d97f1a3a3bbb

SHA512
8593044a35adb12cad1e6623696c1e4e31431b4408fa784505cfab6e261a6dc1f69f508153a10613976bc9667f3126f6e1d1501bf207606bbb941a5cfe01b0a8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cfdbc0d6a2353a57b2fbdb3b8eadf8d

SHA1
e56158a963259bb8713d0b2cf79f871f63402d8e

SHA256
06c58bf4c8f174f5be4dfa2a8c9e38f5d3f757a85c127b2bcff7253f9dff5212

SHA512
3e7422adb8f25dc02293431b4bd6354adf342bc8cbee3676cf384cdeaf3dfd8088fd4ee61916e3c564530cd4886d1da7346682bb6f55c345f422e8b9e76d9431

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdc1134c20a13032637f06c611e305ea

SHA1
e55ad4e97f34a07da32722808722ae7f94c39216

SHA256
84b9d6fd7f702f8f2230e92a88c9db631a6fa6a47522210b43aeeb96ec62b467

SHA512
efdf7e37cb5eb585f23a3223e870847da85dc97166aaa89d30b2e918a2ed6d994facbc1b0c47306d4b6aa775a2d7d64a64a9f9f6553ea4fb15c9d357a39d44cc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0580a24c3d8c977828cf3bdeb6bcf110

SHA1
e8e39b082eedaa9dc38a021f57e562616baaff0e

SHA256
8d856650d26161c93c2ac23fa2182fdb155c7a35d05649cde99f06ddf2de121a

SHA512
f7f86596b18484c02c5e78dadf6ee6b2b5f759d20636053227148ebc9d77ed9016f1e6a0bfb036e4d93a5e4ea8fa8cde72f5e58ff51007661e84da5040d280db

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
814854e57f6bf0450e62b2c795691e46

SHA1
24398120f8bef92e60092416291c0e31c6ca56b4

SHA256
881398b791d7ed687c67adf47cdb1b6713f6c5f05517143cadd062596de930d9

SHA512
e9dc9eb9c5fc4b16bc9c2cc63a3e8f6dc0ea1c9da124953202f327986d945419c0749f9ee27bf7495a36487554d2d910727169135293d21a07f1551c7da6307a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94a13d30099afa4f2ab25c213d59f87d

SHA1
8c31adf864e28f1ff5d5fd659608ed135afdad9e

SHA256
8ab858673b722e2823531d425f5dc677e0b4d90835175b9d39d22253ed6c2743

SHA512
e03e4e74d6f18b48bbedcb125c76b777345e7c8301d032c02a26e595d566edd452b9d8b84fc2b374676b94d64ec5920ed1d4f07c3d0197153e90f1ca11692262

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43bc921457c26e22e90194ead2219bdc

SHA1
9cb6c80ce00575b351e80e6f22a0c513c287eca1

SHA256
426c604cc0d2cc9fa583d1ba896ed88afdb331acbce307467d4a231ef00432b6

SHA512
1fead147c3f641644519d4e79f8f2291c153549a2350d10ef065b5a27289bc63e7ff6f050bdf09330cb0d32767fe19363e126bc9b53b0b6dd0aa5edec6b013f2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67ba9078812dab532747494695d0af40

SHA1
73b832f3583299cd7d111bfc11d9e1acf8530c9f

SHA256
a7be9f590d10e7abf8a76a1d5bb33d45ed7b675910ff12ccac91edf7170655f3

SHA512
716b161daa1c82087687bea565b934118b6d39887e87d96f72b8e3452ba2a46e8bb159f43c2996a2530f75f81bf942548ecbfa910d435153382af660a6a3de1e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2890ea6755573391ac1d90cd98cbac85

SHA1
d87cad33862b1104173b32a3c53f5975ed2a1a28

SHA256
cda6bde29f1c66f44cc7222c8cb8e9137f920bc79f5177f112be57b3f8efa11c

SHA512
f5353b958fbaa9beff5466d2052f13460df637f9e3f606f21faf68bc523fa06a6f0eafa4d2522fb01d03b100a76f9cf97170c5fba37feae460e57a666508dce5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28cc31aef290a720ee907ee8a54c856c

SHA1
46c2578c83377c9087c8fb02553c3ca26463c6d7

SHA256
36c68892910d2f5a1b44acb6a6903aefa7d88b75247c52f063a632d2483a9895

SHA512
61fd4ec8f465edadc59add0044a7b015f3c5b444d83c2c4002c3494540b0ddf79f7fd8a5d763785b9fa7541290c2aeba3ea47995a97b1e53e4992de209981b7d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9e28bb6a827ca8bc974f99afa9a4af0

SHA1
244f8e3accf6fdaf072f858bae83531b5688fdfc

SHA256
f0a8d693777d1f32ae18a6ca7f9b4a2dfb7d588c9eb3b6a3493ba120093a4a1a

SHA512
591fa3c6eb124d3dc991ad2463558f6536e037445df8bdc2cfceb3faf94677b23a2b0381a327b2bf1510674c5b2bba37ab6710e02d80bece3b017b67613cd892

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
afc97416f4fa2f4b760d6a3e2d01cf69

SHA1
a7c58743ec107db83d5bfdfd8cbd8c5384f77772

SHA256
7d607ff90a541a20baf7ac22602868cd837e23513613af68e9183fa2e6962b2e

SHA512
c5c856ee9882f74a48ca7a38758f9c312e3b3f85ef257f0dcece1c9756235d9b25b02730094a698da04a88f74451e98313253efa788afa47dd70b7a89fb8a0a4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9047201344fe137efe18c0cd4fee8bcd

SHA1
bafe4b729a659f540b804ec75281288521f1240f

SHA256
44a4a1e5c1f369f7ebf36f3d814b69ffe7a42a2bd4c2b0fae5cdd2bc47603ae5

SHA512
a5aaff4da6c7b1abb5e3bb6adcda379f03ba76fdc0d9df3f25b40377327000c06bb35d7a3ca23411efc32efd77f671c08958c7fee17921694864b4657c25a2aa

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1626441afda60dadfd1ffec7c24e5681

SHA1
8c404601df1894b8595dc7beb2965b365b3336a1

SHA256
846e1cab084f0058bf4857537c1f26a9ea5c761ad98977432ea9d6b5b745717e

SHA512
51993432cd584928b0dc01e8cb37bd9e7afb21eb2c264fc620e7ed300ec18c719f09fe6b40c256a999df16c0e60ae7afb85a9de3078e20cc23119c181b22426c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f9e753ea812c031bcdb33b283ccd8a5

SHA1
47d65fa0e5c96097d5a3aaf92e8c29b6726f5005

SHA256
152d5d94fe803de667f9b605659905e5b6d25aa8c343e4ab89282762b5ad90e4

SHA512
4fedaabacb45865e38ba82ab97e679c2aa7f8e16ebb4f42d85004e8dc5294859467800f24b435e0de776ee773089f18bd3679b7665f1ff8c5a9d5af85521ad48

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
f41390543f5c8e30e6592ebec899a15f

SHA1
bd57a82b5ff0226d29bfedd6bd90e8348243c863

SHA256
889db8acefc1938926d2fde1218cd0f0e7dc831ff7f02fd174be19d082fcc49d

SHA512
a7da1c73675129e9c59b9ef818d9f3e951cadb59937d0275e8bdd9acbccab1c2cc6a7b6cdde48ec2488a0f8b95e9c02bd8b9d85030e5b34cd26d2ce34717f2a6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabCEF8.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarCEFB.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarD0E4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1864-0-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1864-27-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1864-9-0x0000000000530000-0x00000000005E7000-memory.dmp

Filesize
732KB

Download
memory/2488-22-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2488-11-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2952-25-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3020-23-0x00000000001D0000-0x000000000027A000-memory.dmp

Filesize
680KB

Download