modiloader | 875195c22e5fc8a560655f41cb0d9547e6d02630e7e2d4e40590051f1e01ea54

Analysis

max time kernel
118s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-09-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe
Size

667KB
MD5

f55e9bc584e959ac7777a02bdf6079c1
SHA1

a07631efc4a0e526378163a80deb11a341999a26
SHA256

875195c22e5fc8a560655f41cb0d9547e6d02630e7e2d4e40590051f1e01ea54
SHA512

1786293ae20b4b34ba7d810489a8a6b90dd847d7869ae9263faef4c20c5f23b1c825cb0b26133b57d658fb7beba3fdab027091d8589441f591ebdb62a313eacc
SSDEEP

12288:0QUPkyQGoajhzZqvMcZri7f7CZfsvvSF3Z4mxxzDPmqLP9+z7/2d:0AGpjhovRZQfGZkHSQmXis

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 4 IoCs

resource	yara_rule
behavioral1/memory/2820-58-0x0000000000400000-0x000000000055F000-memory.dmp	modiloader_stage2
behavioral1/memory/2664-60-0x00000000001F0000-0x000000000029A000-memory.dmp	modiloader_stage2
behavioral1/memory/2416-65-0x0000000000400000-0x000000000055F000-memory.dmp	modiloader_stage2
behavioral1/memory/2768-64-0x0000000000400000-0x000000000055F000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2844	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2820	winlogon.exe
2768	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe
2416	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{370944FC-7B05-11EF-B4B0-E62D5E492327}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{370944F3-7B05-11EF-B4B0-E62D5E492327}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{370944F1-7B05-11EF-B4B0-E62D5E492327}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{370944F1-7B05-11EF-B4B0-E62D5E492327}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 2664	2768	winlogon.exe	34

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\winlogon.exe	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\winlogon.exe	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SetupWay.TXT	winlogon.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e80709000300190006000d000700240300000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Flags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000010e6a8f9110fdb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 5039caf9110fdb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-e9-62-78-c7-6c\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{48BE3D07-CE27-44FD-83B0-B520ADC97E7F}\WpadNetworkName = "Network 3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = b084a6f9110fdb01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000036c899d0cd6e1047b6a77ef96a2cd97e00000000020000000000106600000001000020000000aa46a784c990070fbd122fbf45d2fe480bbbf5727d1e474b3d8cc0cde97a3545000000000e80000000020000200000005a1d1b686dd3e47acc72da4f8fd08f4dca1d4dbbe6a098e5abc1a166fba497c6500000009b667772b091b0a99abfb69058e23acb1a755bd9ee7c76c3987efffdd120edc56187c812bc56bedd3ec9fe140a1f20c29941dea2824533289c1d95d94c77148cd83d95b5b600bca5e8fe024be74ccfa0400000005c9903e3b88f1ea7ba14559abafe34d5d45a1cae8a39e9876067b67b135a0f6c78dfb0363d5da20dbee1164a6bbb110c7f233ba9bd10c7f6574c03770e8d2e91	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000036c899d0cd6e1047b6a77ef96a2cd97e00000000020000000000106600000001000020000000aada23cc1c1cd20187c6c5e918e961f8b0eb97380924163e06c4ec00b0926f12000000000e8000000002000020000000637484c9ee9e5e6d7a95fc20b0f5af10e4aa73cc282d4a5fd910f2a8953db9f9100000006ad92c4abd33b54e14158e697e146a6e40000000ec61327ac7f5118ced5c8a3b8d1d225649162957fc117f7163d1e636bb1d7be8f09c0dc50478d1a404a940a418f10796d7c6a3062fed23305edc59b09cc9b5ae	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
484	IEXPLORE.EXE
484	IEXPLORE.EXE
484	IEXPLORE.EXE
484	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2820	2416	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2820	2416	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2820	2416	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2820	2416	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2844	2416	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe	33
PID 2416 wrote to memory of 2844	2416	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe	33
PID 2416 wrote to memory of 2844	2416	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe	33
PID 2416 wrote to memory of 2844	2416	f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe	33
PID 2768 wrote to memory of 2664	2768	winlogon.exe	34
PID 2768 wrote to memory of 2664	2768	winlogon.exe	34
PID 2768 wrote to memory of 2664	2768	winlogon.exe	34
PID 2768 wrote to memory of 2664	2768	winlogon.exe	34
PID 2768 wrote to memory of 2664	2768	winlogon.exe	34
PID 2664 wrote to memory of 2712	2664	IEXPLORE.EXE	36
PID 2664 wrote to memory of 2712	2664	IEXPLORE.EXE	36
PID 2664 wrote to memory of 2712	2664	IEXPLORE.EXE	36
PID 2664 wrote to memory of 484	2664	IEXPLORE.EXE	37
PID 2664 wrote to memory of 484	2664	IEXPLORE.EXE	37
PID 2664 wrote to memory of 484	2664	IEXPLORE.EXE	37
PID 2664 wrote to memory of 484	2664	IEXPLORE.EXE	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f55e9bc584e959ac7777a02bdf6079c1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\winlogon.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\winlogon.exe"
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2844

C:\Program Files\Common Files\Microsoft Shared\MSINFO\winlogon.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\winlogon.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    PID:2712
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2664 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\DaverDel.bat

Filesize
212B

MD5
22d5d6b48e8cfab89605f426ff45db37

SHA1
f7431ac4c9c61c87016b93c39c68ec207d6ce169

SHA256
c9fcda8de9868c670b0ab963f8c11383065cf8e7d174bec0f02cbc8d8b60c3bd

SHA512
1ed9bab5e5e703868dda7453718d369496fec5b84b88c7cad5ce60e5bef63d49467096ee27a2c00c6b565c0de7f0091c4fd82ec7319ef143642ff81a8ad8257d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\winlogon.exe

Filesize
667KB

MD5
f55e9bc584e959ac7777a02bdf6079c1

SHA1
a07631efc4a0e526378163a80deb11a341999a26

SHA256
875195c22e5fc8a560655f41cb0d9547e6d02630e7e2d4e40590051f1e01ea54

SHA512
1786293ae20b4b34ba7d810489a8a6b90dd847d7869ae9263faef4c20c5f23b1c825cb0b26133b57d658fb7beba3fdab027091d8589441f591ebdb62a313eacc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
41ec0956dfc37277771cee7b9c3e3f66

SHA1
e33ea5c76d79bf9b31d9f51b06d7bda516f0b037

SHA256
e8dc8f3b8ace5efaf4f91eb7edd7354d96e527bd138d6ea551d8e5cbe32cc99a

SHA512
ca73d65e6232fcaab2a8d78175f856194982b0a187165bf657b635db7f23d3f8f369c19b77240290a4fc6d51e2abf23df24592e92549e5b1c877b2fb414b53e5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cd3700edcd8c44d4356909d81217419

SHA1
896726c4a9cdf2ed12bc72652fe860918e4929f5

SHA256
bd0ca80d465843eb0a0c1f035f4ba193e59f28ab0053889fa6f10928853635fc

SHA512
5da8f6498790437c5ac7951f448bd5415bdd738204b1c89b5e7f8633c5e6b5981b718620ecf23915fef0b4eb1abcee188130517c4b0190b93ce3532bc362f94e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1b78f15d240ec2544f75d680759f870

SHA1
236a47646f7c1e61ff7a6fb53c02636915cfa7f4

SHA256
c89c645527b1be79d8f792e94582d87676b996b4c97c573fe8cba88466f51bfe

SHA512
b4d7bd956d07f490b726bf761a00b388f62d9ad23b71347edfc8290aa7591be45dd0c0b68f1be582a380d9759a2162bfafcad6a4197fe9264fcdd198b41c13e6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d03ec32a1ef18065f3ab4006f2e6abe5

SHA1
b940a68ddb845934e63988fe572734610b13605d

SHA256
382925f127142639488631cd096251c90c76424a9462fe13a14fae0be6cca1ec

SHA512
1516071b5b50438d7f847957df8c50c16525dc45e32f5929933e574c64a177363964b825a15fc40265f07922d7d86702182d78c37b4797eac7d542327065749e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8482df0f524940398341227d61c26f0c

SHA1
f9957e597bf57cef8f4a9751dc69ccc316e05bbd

SHA256
3435c6d7d6710d734afe877f12d99f96a861b91fd24cbadaf41e6b6723ab419a

SHA512
e3f4b0f4e759897cd76df0608723703e24223786bd22bd1a7f9600cba97800bd0d6ef276dc60f293c3214e846b70ea7d38ad509823c54f5b38ae8d9807fe57f0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10860e4a76b1484caf4e41f80d39d498

SHA1
0b07721eb305b0f86d0203efb77bc02c8e11e590

SHA256
450e511ef5baf0193b0d0cd8a85a6feb00c159c20f3d2b4130fcffd25a1d04bb

SHA512
cce9f4f6767f7cbc4d847a3e9b22b699f3cf6a8b1d822135d57fd734745b63199114a54dc54eb6ca028f592a59db5149de8d197474db404adadc497d23b36fca

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7177ea71d9b934e83cbef29e28d2204

SHA1
6c95475c79d264ad41d1a6879635ee1dbcc02b23

SHA256
259a93cc4cc9dd1505a1fdf9e35a1b08ae1ad85addfeeabb782ba282caab2517

SHA512
b7820be82d1b359dcce5811d3038ea5f2996cf94b341f90a9d1ac08b8e6c5607600f0aed0ae92d7ec50cdb622d908e53fcd1689a43b2f4d36a260eeccc6ef649

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86bf1b28b613157bef6fe6c83a081578

SHA1
adf3ca2e5b6637e8eaedc56b105c1e316043fd44

SHA256
e12697b6bb693db34d6f0e4af87fa9a6e34a77e7287c1a837d36175eeb415abf

SHA512
c269d938ec2b38db51849518d443aa7defd9338a17be5ef08064b7482c600a2fd01b5f4653c8256b4c0be593fd7963207619526d805f75a25f7097d465603bad

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3c4a2b0611e85baac7b4ef5ef936404

SHA1
91b711f166079a3d00f01f3611570164a707b539

SHA256
c9caf49f9c01e81ac3268f4d98cf4264121983a3057b9cbe8fcf5ee133149506

SHA512
ce8ff7e1d94bf4a1f5eb8902945068a44f48168eb481a3379249d59960b9b3288ee2f461033ac71b0c8cd7bbe3e847a984e24ae3a9b5b26f203fa843de0cf5b8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
471f62d11eefabf8fef116d0845b79cd

SHA1
f15d1b33f85cc4e7af278477463dae9ed7794fe3

SHA256
18795610e526c9f92f3f89bba5b08830ae4dc573d92f098d65b664dd90dda968

SHA512
42cbeb7f4f4d2296026f0e1f7cab3991fc3c9fe9f78ac32f9a2bc558365cd843059d4fdf5a5384230472b641b30e972b3190ed4d254d008572dea15fa2151a15

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
538b095a41139073511a86ee7c8cb802

SHA1
4349c0d88e69d1a6a5abdea0e8d981cb9d703594

SHA256
02f9b485d12071c32ba00938a853413a28470d6d9574dbe428987c49b471d0c3

SHA512
f395681d908e617980cca26169f805d18da36b2ce394cebc3e8ad4148dbcf1c79dfb05807c64996c7cd86c2f43a3864fe92b4690b30eb1c9672eafcbf10bab72

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
548011b30176b3a90fd1608f263ef6df

SHA1
d3700a2b2ddacc2dcd672158dd8a2d43806b0ca1

SHA256
c3decf20394af4f83628802070f476a4dbf8bda2f16a99e9da3d499b9d3e8762

SHA512
c969523c8a6a783305d766167708ea07a64a238e8c23ba6751660c1ee275d7f7cfb29eeffb1d1c84a543b5fbecb5e8db08dde9f1b723938442a9166db665fa3f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6d4a9b0b8bce37f032acd98099b8464

SHA1
7a200c528910aad42cd26b6f53aa1d664b667dd1

SHA256
92778aef02b18e532d5d1457794a7519959b0ff6b8a06e57ab6dd85fffdc8838

SHA512
ea64371586b9d35c2ec29a136d328cac2af942106f62af630ec4045f3836fbbf157da01dda1d14059e3a30f0723929a4531d7b1528b578383f9bff9e49bc03a9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
729046f394e2177b95115dbe151befb3

SHA1
a84a33e268c826b49e90a66e322b9fb6ff927f98

SHA256
9d53c47f1da4de3102a853a6f322b5e4293275897c3fdb8dc807d022c27a4ac4

SHA512
815c6b1318573a4921e1f225c278884d66669d99558ec00b29e3983ee299ca663672c06d1ad6f4adc480dde80ac6048952ffb4283bdaf691869ac2c25c423165

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d780b8f6c44c0a128ff1c740006b7362

SHA1
95a8803fabdc1d10fb7377df5b36d577251a999f

SHA256
621e6a41dcb5800909389c0af030208f31a8af3f2dc5b07f754bd2f5b5fff534

SHA512
5fc18cc53bc1aed0e77cb119c072dfa3efbcb1875ece1a11e50c2e38537950c0dfbf7a5141d6ed9852a4a4c12f57c80a4c75123b3e56551719c1a8c6da3ea756

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6e39649e6721e1820d0c8a42e597ec1

SHA1
c63bb747ffad5a13ca3cb99f6aa34368475ca951

SHA256
3778a20462393666670d5845253c1f87055a48111680c1831b3703a28f367184

SHA512
297ae12877f37f127471b96d7a8aea82141ba521e998ae9025e1b2e631dc5c85f41a6a0809581dc1cc1a77c506318e3f9ec60cb722943301fc892ae473ec93ee

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd032addba396544d26aaae72b333844

SHA1
7370867f73ae6c69bac3d5590975f582eb987b83

SHA256
648c7582fab399e00710cabbd4e65f0d1314c62a67dcec4a8b3bbc0f42f17834

SHA512
0d7afe6e43bfaf58cf6288546d27bc0d9b79f5601ef14183634e13f47539be6a291473bb5ddc7c92fc6fc5e44da267eb1f7e24e93f87d001f08b74d0a847d425

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d1c3dbb8769353ffe01b0132576e5e9

SHA1
287d159d86bfcd419c7af5804c190e4da49e213e

SHA256
fd1f4e62f630bf044ee3f559e6114e06c6936fc59257d10476fffb8c8205cb73

SHA512
2be40ea49a16d45b89d17f59871b90827891260a7d1283c52d0cf57d68cd3b4822f3bc9928105a47940ac4aed3337c84ef1138ac647665f5d2343bd0e610eb1f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eb67262f5efef95b1b8e5703190ad04

SHA1
da11b49f73a15bdf002a4cdb96f563793b858fe5

SHA256
6fbd083f045fb038a73ba7caf59a1f6e0b1b317fb8bd73d9c6e0f2e5ba418626

SHA512
26b2d56b0468b69a682ac090e75acf44a88cd6450e14a79b3da95168278f55d11276e4305e8eaf2e3be0b3319a4e0ce583bdddcfef1a183cd321f89b18c04bf0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e0e429cb2d76543a6badd313a7c0b1f

SHA1
d3cb2950fdde73c6eb2db317c46c8289b288b0ec

SHA256
51edecbaf2c051a5b52924d49dcc1a42722cf6a59c53d3ee18dd8b16c38d670a

SHA512
33da0cbae6464128bb0825d44817f7386e1d55894cd13a184d213a3ce2cd9dee5c7cb9cefb8702cce3b3584e61356f68ab88ca254fdea4ec7e48b4c45577720a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4a3b523ca69bfa865d1d6ce754f4b5aa

SHA1
26d687d402f9f0a6ccbde71b6fd69a1855beec01

SHA256
c1d53075dfa63d9b77071000176405b3521a5887604c7ba70d8685cf71a71077

SHA512
5177bfa3e1871d2ba4df17bdeeb85dbd7bd9919f75787a86bc2600e38c5b5a0e85a3a78dfec3cae10d6a5e4d69ccd356c818efd05ebb3e905132997f20848e8a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
174B

MD5
1971d71c62ea75c4f433476600caa4f9

SHA1
428e9b5498ba9746c123ebf3ffd86a14f73878f3

SHA256
3f7e7774532126e2c175de962ce9d620471f4ac75463457e1b93ab615abd4de4

SHA512
88667b670c3ffc78b442e0767ca0ea2c1409b8a2c5f18e69496831f7bfa7496e54843819fe725eda06de6deca9ba9dd769d4b5f3ade4126905ed3b1bb6f94422

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabEEA8.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\CabEF77.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\TarEEBA.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarF046.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwE282.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwE283.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/2416-26-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-18-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-1-0x00000000005C0000-0x0000000000614000-memory.dmp

Filesize
336KB

Download
memory/2416-17-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-20-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-38-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-46-0x00000000034B0000-0x000000000360F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-63-0x00000000005C0000-0x0000000000614000-memory.dmp

Filesize
336KB

Download
memory/2416-3-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/2416-4-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2416-5-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2416-6-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2416-7-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/2416-8-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2416-9-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2416-10-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2416-11-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2416-12-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2416-13-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2416-14-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2416-15-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2416-16-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2416-2-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2416-19-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-23-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2416-31-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-32-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-33-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-34-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-35-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-36-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-37-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-40-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-41-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-42-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-43-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-44-0x0000000003270000-0x00000000032B0000-memory.dmp

Filesize
256KB

Download
memory/2416-45-0x00000000034B0000-0x000000000360F000-memory.dmp

Filesize
1.4MB

Download
memory/2664-60-0x00000000001F0000-0x000000000029A000-memory.dmp

Filesize
680KB

Download
memory/2768-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2768-49-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-58-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2820-47-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download