58266363c0971af2036035fc7fe436b48c7e4f643900531cd40d01fb7365980e

Analysis

max time kernel
142s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f591eb6c4cef194edc842c2539b6089c_JaffaCakes118.exe
Size

273KB
MD5

f591eb6c4cef194edc842c2539b6089c
SHA1

c425d334576fe020266b99f759e397c2b7c2b320
SHA256

58266363c0971af2036035fc7fe436b48c7e4f643900531cd40d01fb7365980e
SHA512

cdb589e357135bac491918228a0f4d8460b3e012dee30cc266685e18f31bb1252bbf5a132483d09cd6e789b2fc83db79ddc00e6a752bad6a2291208b3cd4dca8
SSDEEP

6144:V6+6vrAmfgJkmDX9bz2JiHTMMjGOhUkbEf9x7gp1G:5JtDtGJi5jGOhUkEVxWM

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2268	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	SVCH)ST.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CCF5D7C1-7B15-11EF-A528-527E38F5B48B}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CCF5D7CC-7B15-11EF-A528-527E38F5B48B}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CCF5D7C1-7B15-11EF-A528-527E38F5B48B}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CCF5D7C3-7B15-11EF-A528-527E38F5B48B}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SVCH)ST.exe	f591eb6c4cef194edc842c2539b6089c_JaffaCakes118.exe
File opened for modification	C:\Windows\SVCH)ST.exe	f591eb6c4cef194edc842c2539b6089c_JaffaCakes118.exe
File created	C:\Windows\SVCH)ST.DLL	SVCH)ST.exe
File created	C:\Windows\RAV2007.BAT	f591eb6c4cef194edc842c2539b6089c_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f591eb6c4cef194edc842c2539b6089c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SVCH)ST.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005beb62ac74386549998bc854ab47b91b0000000002000000000010660000000100002000000079b60a7d8100645dd1fdfc5c63795933a5bdba2ec7ecd0930b353edb1cabe4a1000000000e8000000002000020000000d4a4bd7fba028c5e147601dd5f85c7025812bdfcbe03b6a90ae6c134ff80fdb6500000008987f29412e791daa467b28f12703e63ff48545f09d0696d2c35e15d095ebd3bbd44d5b9ddb717406723dc904b593dbd6d4ba6faa344315eed421b9b2486af63e2dfe08cd00c8d82155923f17a1c170c40000000ef425346987694c5c2b54c1c1eeb33f135e47e75d5817cc1f8ad172255dac41479921d6216f4a9a8fcddaf3f00937b523b270c1e66125d65d1981522286c5f55	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433413771"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CCF5D7C1-7B15-11EF-A528-527E38F5B48B} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e80709000300190008000b002c00bb02	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "1t8qxpl"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e80709000300190008000b0033006f0000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e80709000300190008000b0032006a01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000020ab7d8f220fdb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A4AF0AA2-2A2B-4B0C-B50B-B0FD238B4E17}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Connection Wizard	SVCH)ST.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	SVCH)ST.exe
Token: SeDebugPrivilege	2664	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2604	IEXPLORE.EXE
2604	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2792	SVCH)ST.exe
2792	SVCH)ST.exe
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2268	2096	f591eb6c4cef194edc842c2539b6089c_JaffaCakes118.exe	32
PID 2096 wrote to memory of 2268	2096	f591eb6c4cef194edc842c2539b6089c_JaffaCakes118.exe	32
PID 2096 wrote to memory of 2268	2096	f591eb6c4cef194edc842c2539b6089c_JaffaCakes118.exe	32
PID 2096 wrote to memory of 2268	2096	f591eb6c4cef194edc842c2539b6089c_JaffaCakes118.exe	32
PID 2792 wrote to memory of 2604	2792	SVCH)ST.exe	31
PID 2792 wrote to memory of 2604	2792	SVCH)ST.exe	31
PID 2792 wrote to memory of 2604	2792	SVCH)ST.exe	31
PID 2792 wrote to memory of 2604	2792	SVCH)ST.exe	31
PID 2604 wrote to memory of 2892	2604	IEXPLORE.EXE	34
PID 2604 wrote to memory of 2892	2604	IEXPLORE.EXE	34
PID 2604 wrote to memory of 2892	2604	IEXPLORE.EXE	34
PID 2604 wrote to memory of 2664	2604	IEXPLORE.EXE	35
PID 2604 wrote to memory of 2664	2604	IEXPLORE.EXE	35
PID 2604 wrote to memory of 2664	2604	IEXPLORE.EXE	35
PID 2604 wrote to memory of 2664	2604	IEXPLORE.EXE	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f591eb6c4cef194edc842c2539b6089c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f591eb6c4cef194edc842c2539b6089c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\RAV2007.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2268

C:\Windows\SVCH)ST.exe
C:\Windows\SVCH)ST.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2892
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\RAV2007.BAT

Filesize
218B

MD5
4e96f6815fb668529cb234a183f1472a

SHA1
dbfcae328d3038405cebfac6c880e3c00d7f1db0

SHA256
48c9e6e5287a486142c3e83d9531cacc31103d63d8d0dff7b72b25ba1cdab106

SHA512
9f87d018c53e72604ee862191afa635bfd20a810d4131c898d62fc8f1fd83f9f478090a61ce0fccff1de164511ab9ca41d70fa3e94c1c15c022dbef76d18f1ae

Download Submit
C:\Windows\SVCH)ST.DLL

Filesize
590KB

MD5
c8fef4924a92f685f5eaaccca5594037

SHA1
8611054fe7a8ab5ce8aa8d3f60c3725e39f44496

SHA256
ba6d91e4926fe6df4b477694b65849d68fbbfc37001f9330d52e81d6c0aecef7

SHA512
a1a936ea1dbcca9eae3544868cc5fe0686b3b1df1c42d60cab7647401f22f685c6cdf29a0a74f2767fae78701aeb52c586d1a586d6f059ef4ac486491720193f

Download Submit
C:\Windows\SVCH)ST.exe

Filesize
273KB

MD5
f591eb6c4cef194edc842c2539b6089c

SHA1
c425d334576fe020266b99f759e397c2b7c2b320

SHA256
58266363c0971af2036035fc7fe436b48c7e4f643900531cd40d01fb7365980e

SHA512
cdb589e357135bac491918228a0f4d8460b3e012dee30cc266685e18f31bb1252bbf5a132483d09cd6e789b2fc83db79ddc00e6a752bad6a2291208b3cd4dca8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
14939477d9a64a07c3e453bced220b84

SHA1
0aacf6c79e4f5a1eb9c40d57f5a5df55ad133266

SHA256
7449681ab32942a5d6f238dfb77c64d055265107a0dc594f06d7891bc1123f61

SHA512
1d7e8b5ad8a71c75170cc5036085d33b4a0b59260fa0efa9dc63a0e7f936e854e78e3752ee36187209dddb8bbf7efb060940fd122ae348ee5d0dedc5983d7c5c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbbcbb92eee575b8a6696bb5429adc6f

SHA1
69d6026329aae28e22f4d1adf883b7e78c373224

SHA256
e5546e860ad8a40807d70c69c3813b7d653ce5c79a388832b9fe2b02c5f9d88e

SHA512
6729c538423c3aa57e206d645757742b4c08b8b5158fa9cce9444f9b61d9c6118f472978715ce6dd26ebd676ab89818566f3999cb548fc2f2d5d00ad08c665e2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
139ea0b0693300379aeb45017c8bdecb

SHA1
b752e68635ac8770856dd43b012c5db403693db0

SHA256
5836429a8358f446836ede5d403fd1a0c92cec46bfc2c211c5ee31595b45e858

SHA512
83744c22f2c4f48da5d287b3a9aee42b0bc3567ff905928a39c150d3844bf5f3cb644f2074e450bb0d97e643f578e43963bb87bd758607b208dd124409a1b0a6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b8599d0375ace8f3f9a7032a19bad79

SHA1
70f0952f44845da5ff75fd268c1de3631cd49179

SHA256
cdd6e7b0f7bebcddf8a5dc4b9dd2f0ec7b499d57079ef567e8c18dce6dfa5d8f

SHA512
3dc22446446c5e8353b7f94ec481c18019d33b2402562f25780263509126de10dff71153bf0c3f530ca8c11d79979863933c4c31880a28574199a1f6223d1849

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc052fa832b33f7d85eba86b623d5a80

SHA1
158678d5c694b94ea46ac5119df9c63bcb1a149f

SHA256
8794f5015cf59a81e535908cc94bfd8c27a9910ae681687081f75879a8c8ef15

SHA512
22837d674da5536e49fdd38047ffe6281e8bf0aa84a2c1815480d96c9a5e70522f98f28e6bca003e7f0e9b4793de00caa5ec61b2cd58fdb65405fa32b53e7183

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32e0ed844b7a0491bfe082d2f89cfbcb

SHA1
08bf0da47e2a798f987a7cea3536b1212d18a7be

SHA256
8bcc3655718e9f44e3cbf893b6c00fcede1e9ebd6c6ee32205d252c632d715ba

SHA512
9c32d913745064d6d8dd7f60d4f69d0691f0cc3a82f847cbb73480152dc35576d661e0ad698bb745656dc963ce422333a8ea82a9e0fe35f2960ff9aa7648c0c5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae3a1ff56baafabbde774a57903fc6be

SHA1
6d2019678ae01ac1788873160cbb6c5c6b405e0e

SHA256
6802379fbead23c7047cdce1707f159761d4b8b6b7c3bb9c28eae89c8253b45e

SHA512
7dd94f751f8d0e00e3913a044da85077807ab100575131f1970326a87c3bb7e303f89ff523aeb7d8381293185214b82fec0ee3ab5d6e6b410a3f462f66b41a25

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
551b301bb9d758a6c735be29febaeeb9

SHA1
444f094cbab8ac3091d6c44fba570988a4462ed3

SHA256
a36ae3c31fbfa153b89978e0a2c506b568b5884aae9ca1995264d9e57b4c6e93

SHA512
671751dde1ef5ef9e385d3675a9695ddfad772277ca2b8cf7045fffb7860a9ce5230741c1945c4c4dd68a39a58042f18c44950948aa77d70fbed1957cb1a0742

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
016900e8501e27d7d723d2909d78167f

SHA1
8941e1dc6ea0887e65dc250942a462b193d5101f

SHA256
67bc84997447ab1d685852073c451afc332f389ec6c73875e5512e2746a2fb39

SHA512
9985111bf5c52bfe042e01d04cbf29ff16acd794e95c1736a0d17ba6bc2c073371b21b107b2bc74aa30d8e4809a745f3a503fdbdcffc8689cb9c0da71348d5f3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b85b267e0c8298cb25e3272fcdf5bbb6

SHA1
2ef9413d26f2c713c54c9b2b75471d32147907b4

SHA256
9940161dddaf7abf34eefc9084fa40a04261247ef7d3b90890e4a5fc59675e88

SHA512
0a58651a771d2c284a567e75d0abaa71e67bdeb556de789493d76fbccdbac22b2c1d020c1e823dffe946ce0855f8589e2c3febc1a8b62f947e62a5cfe3ee0ce1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c85a09299e94d89dedb18f9d7deae94d

SHA1
3e04f6762abcdff17b97de7dc426b1a0e3a89c5f

SHA256
374b5502311e9dcfcc6aecb0bacef7f4e2c91da8780be42b0892bc2f0b28d767

SHA512
b94fb0112afdf4c083dc26002ab83d621a6e58ccc0d6a38637a99f958c63ac038277df170f2a8875662f637c811ef673a89125cfdd7e60c3a7b6a933d9cb6251

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
baeff3bdc7aed863cd65ef1cb2cc09bb

SHA1
019b9c8639e1113cd9fd1e951585587e840f32cd

SHA256
39159ddd2f2e07a1dccd9acd041fe6a09e3244ad6395958fc4ea0adbcf400f5e

SHA512
caa205b1f941e30596a758e2f7bda7a27dcac5d4a40c91675decfab38e2b6dc7c0f2146a8b18787334e32a86f8b4ea8496024798bc42da1cd658ae269baf9a15

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
574603ff9a91f86250c11be2714fdb81

SHA1
d48e74219c0a288f76136b78bb6b29713f383112

SHA256
9649149ef0dd465f0473092be77876cd94ddfd74f99ddf38149abeea197aaaf7

SHA512
cd37603adff6e9067edba48effbde7378140a0d86d475b1716c6e32e776b509855cb30ae8ead25a4f5b66d4364d12a975c32c36b74454bfd085a1832d0134a91

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63844397814c0d589670264c1dcb1fff

SHA1
d2d5ef2039c92d33f902d384d6fb1a624fb0ba06

SHA256
41701897e4c7833cc864363f330382fcf004aefb9c6e51cd28eb866885597821

SHA512
372b2228be15759c63a6cd0960bc3e498da356474a5248d4e4886c1ffaf2c1d14c26e7d47dc118bf0d45c2134e0b5f518e8ab46e6b602fce8029c7ac5d84acb4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
758fe5bb32e1e132712795ac18c77ca1

SHA1
224a0266755ea2218cf7fc9845c58b022adcc185

SHA256
1c9ee52ec20c44ce7e2146b1499007c15851cb785bf70b53df00a14d1f944ad4

SHA512
8cb411cf18fbcd51972804332ee4eb7a35f485f178278ae1871e7468891652c44b91baf991a5ea22f0df8cd7ac5ce21a1a9b006eea72e3ec7e9966f78e4c80e9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
391ad13991d5ccc19500c565b374986e

SHA1
483aa2bfdc1841e25cf21460d28c44110ebe5597

SHA256
95c7e571182134d1d4cab7fa1fc0866b43a3ac4710f31098a526c9905ab6fe99

SHA512
8d746b51ff0b4a37efe6052a3ea5fcfaf9e2ee8f63c77ac5fd4dc9d8f5a1ff662baed3ba4bf779eb28a201c8f3db1624257cfbc545f8d89087f6a2920cfc7c50

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4a369478f86b789df948b13ee487b30

SHA1
f1fb2956d72f3cbf8b3adfb3d5650233b8acd2fc

SHA256
2ad234fa41dc6e10b346129e03dc8c9e88883409f57efd222508cf228430de0c

SHA512
e6c199fd66add085c1e27fa0f69b00814a3a162a004277b61597e7c932728f7164e71864462ecb044690a91ed6bbda9f545cbe7ce39ae9742e65a85f7f5618f7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff65e2943108e101fbb1860ef7a42e1d

SHA1
214a890fa1b2fee0709278716313ba0997085086

SHA256
7ee12e4fa278f3bf76412e4bd370a08b82ba6c0170e88062ce93c0b255f96f4b

SHA512
d9fe47ffd3755c7623d6471cca227d71518fe6bfe0bb156a0648d87c5fb92ea844832da8c08a1e799eed5b3ff5b6b850471c28550abfcd0184ac79467da14d23

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09a5bd1dc43c8bda2e9460c3ed24c7f2

SHA1
bc72445ce2fc746ba68c5f9442d47276bbed766f

SHA256
f544bbd752c847d059c190e32f4203770fca444f24d96c81cbbbaa3f2a809be5

SHA512
5ebf78b9a8213e4bc47800f3bc29741c228019f4b053415d8aed824ea35d0caf4b406835f5409d930d0fbfe19a4724d45a831430bd75e212d57522a10bb5aced

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9be813552ce4b6147d43844778f216fb

SHA1
4ea91a111a54f7bc0223044710bd510e9d1e62c4

SHA256
7d0cf59b5323004263e888d27beff30599bea722eb38e9fd9f19ea6542601387

SHA512
5cf4ffd8ae2fc2194ecbc9e830290348346dc41f492c1d428137f8a05b99a517e30da253deb01c5366f2a45d9177e3f049c3b41e0da180f35952e361e74ead1c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e75b90072494af54a2867a2204512120

SHA1
5dcf9977ba448d49a900f7a2b1f13e352ccbd43c

SHA256
aaadeb052657ebee349cb10aed7be1c524353f330374904d5f704319891f30cb

SHA512
808daf87ad65f362db5192a7c660ac1b2ef267cfd9f9f380fa2dc72102ec5d23752fc4b6ebbf4fa8fcd314d89f50bcb6c623ce732f041908a568a7bcba80b8f6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab87DA.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar87DD.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar8969.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\www7BD4.tmp

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
memory/2096-2-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2096-15-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2096-0-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2096-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2792-705-0x0000000002200000-0x000000000229A000-memory.dmp

Filesize
616KB

Download
memory/2792-704-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2792-633-0x000000007731F000-0x0000000077320000-memory.dmp

Filesize
4KB

Download
memory/2792-634-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2792-605-0x0000000002200000-0x000000000229A000-memory.dmp

Filesize
616KB

Download
memory/2792-5-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download