modiloader | 1e4f92ab6da47a009c181f6902e0317accfbf686f8d8c32c15156b057a82f834

Analysis

max time kernel
135s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 01:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe
Size

668KB
MD5

9f2342fd7908bf197c6b0b8838e9aed7
SHA1

14d572f56316a99bbb751fe87948fa292fcee995
SHA256

1e4f92ab6da47a009c181f6902e0317accfbf686f8d8c32c15156b057a82f834
SHA512

49589b7736bacd05f0f6f16442351d94d62b2c5040d90301206ffdc694bb105f8870359c8769051be4d86afaf9e2bb6ad9b9cf20eba0434a9826e3684f2780a4
SSDEEP

12288:TxGgcYEM+/97z3PEXFEcE0wqcxaSGRbF3Z4mxxmDqVTVOCK:8oc7z/wF00wqpSGRbQmXFVTzK

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2960-40-0x0000000000400000-0x0000000000560000-memory.dmp	modiloader_stage2
behavioral1/memory/2960-54-0x0000000000400000-0x0000000000560000-memory.dmp	modiloader_stage2
behavioral1/memory/544-53-0x0000000000400000-0x0000000000560000-memory.dmp	modiloader_stage2
behavioral1/memory/2976-57-0x0000000000400000-0x0000000000560000-memory.dmp	modiloader_stage2
behavioral1/memory/2884-55-0x0000000000060000-0x000000000010A000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
2748	cmd.exe

Executes dropped EXE 2 IoCs

Processes:

system.exesystem.exe

pid	Process
544	system.exe
2976	system.exe

Loads dropped DLL 2 IoCs

Processes:

9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe

pid	Process
2960	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe
2960	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe

Drops file in System32 directory 43 IoCs

Processes:

IEXPLORE.EXEie4uinit.exeIEXPLORE.EXE

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{472FF271-AB98-11EF-8C6C-D686196AC2C0}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{472FF271-AB98-11EF-8C6C-D686196AC2C0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{472FF273-AB98-11EF-8C6C-D686196AC2C0}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{472FF27C-AB98-11EF-8C6C-D686196AC2C0}.dat	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

system.exe

description	pid	Process	procid_target
PID 2976 set thread context of 2884	2976	system.exe	32

Drops file in Program Files directory 3 IoCs

Processes:

9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

Processes:

system.exe

description	ioc	Process
File created	C:\Windows\SetupWay.TXT	system.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exesystem.execmd.exeIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEie4uinit.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e8070b0002001a0001002e0028001301	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = b0acc309a53fdb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{472FF271-AB98-11EF-8C6C-D686196AC2C0} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070b0002001a0001002e002e00c70300000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{406C6C13-C92E-4977-B042-3E0FC230EDE3}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\MigrationTime = d0d0ca09a53fdb01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-bd-54-75-dd-ea\WpadDecision = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8F685AC-F712-40CD-A835-CDEB5311CB02}\WpadDecisionTime = 30195d0ba53fdb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\Flags = "1024"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e8070b0002001a0001002e002d009a03	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c2ab654976fe4a4a927b654e35dcf15500000000020000000000106600000001000020000000def4587bb0eb035588e792578bc6897dce18c3a09a39d83ae26159adaed0c6e8000000000e80000000020000200000002de8b672d9d6886ebe55d9baa03a80ee21727f8bae15fa1312d8033e5740991350000000672118e90500829b633e5aa2324bf975cbb017f740f5ff915e06ab7a7dc7b421cbf318b0500cdc3a15e5a6b8e2611da93cce1fa0449d656f340fd837b68ede1f90ab5661408082330d4918789c5404c54000000023a120482056d89842427884bfbb62fc3d4e5c333b48af4f533f50803427de6a9d7bfc9c5b7e413deecb2ece01b97f851e0afc7c1ea07bb4aa6256ca2ee7d57a	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

IEXPLORE.EXE

pid	Process
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid	Process
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE
2664	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exesystem.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 2960 wrote to memory of 544	2960	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe	30
PID 2960 wrote to memory of 544	2960	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe	30
PID 2960 wrote to memory of 544	2960	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe	30
PID 2960 wrote to memory of 544	2960	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2748	2960	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe	33
PID 2960 wrote to memory of 2748	2960	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe	33
PID 2960 wrote to memory of 2748	2960	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe	33
PID 2960 wrote to memory of 2748	2960	9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe	33
PID 2976 wrote to memory of 2884	2976	system.exe	32
PID 2976 wrote to memory of 2884	2976	system.exe	32
PID 2976 wrote to memory of 2884	2976	system.exe	32
PID 2976 wrote to memory of 2884	2976	system.exe	32
PID 2976 wrote to memory of 2884	2976	system.exe	32
PID 2884 wrote to memory of 2212	2884	IEXPLORE.EXE	35
PID 2884 wrote to memory of 2212	2884	IEXPLORE.EXE	35
PID 2884 wrote to memory of 2212	2884	IEXPLORE.EXE	35
PID 2884 wrote to memory of 2664	2884	IEXPLORE.EXE	36
PID 2884 wrote to memory of 2664	2884	IEXPLORE.EXE	36
PID 2884 wrote to memory of 2664	2884	IEXPLORE.EXE	36
PID 2884 wrote to memory of 2664	2884	IEXPLORE.EXE	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9f2342fd7908bf197c6b0b8838e9aed7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe"
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2748

C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\system.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2212
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2884 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat

Filesize
212B

MD5
2248253fa4ff0e6e067f4f9e7180b7db

SHA1
da40ea382c18a9964ed926ae09f4c0c0a4c18ab9

SHA256
c24bbbb3814b356291870c1716d66fa7a0f37e6368cf445a641c1c8848bed1e8

SHA512
ab0174e34eacae7afd8363ba4d7d5275ee098a232c9fff43304033f9bae72c55965e17296498330028df15d16d4934123172b4e59c0c3b66d1e1348d3135523d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
f6641bd7bf85badd963e0455962e45ee

SHA1
d9365ee9bf5805ea1ac9caca7c5b8cbaa5c532cc

SHA256
349cd723ec2c6ef206de41f4702a79e4ddba2f7e8452815a726cbf41d1502f75

SHA512
f4227a56caa6a8e06968bbeb52b674cf761645d18efba92be52eaa51dab9dfc9f8e44167b2587f50fc2b07998977b091bb85313938f584c3f4bdaa88d93bb51d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6eb4d5bc4795408e18212f79e5086ec

SHA1
806f49abee0e95fc0ff0e7d6f8ab9c90c83f7409

SHA256
12d6c06765e6eec00c0bcf363848fc84f1ade96c024263a1b05dfc12c27d63fe

SHA512
99a9f0d9d2d90d5413f98c0e3cc5639f3563985e72c8ce4c1d40896c50ae247fabae53eac98bd95ed1ef4782a57afb4a0dba46a64f78becf5ebbf82dbafcce3d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66d3c072e046a870b244dbd24a66bb97

SHA1
992c551e557151ded583fa0d516dac5fecbba62d

SHA256
0722852b8ff27dabd1327835bb3a37c18878cae5d2e22fd086a923713dcb68e0

SHA512
9c21c4c5e5bc0235986ac33f658f5fd10d611c3a6d120b7e67dc1fcf106a75f9eea879bda99c88ce29da805eea6cc7fcf3e49fdd6e4f5c36fb68a8cabc41e0c8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92aace0ebafd2c8702b53e6e77144b7a

SHA1
974c210f8f2d05329be805144d9570e5a3e6fd7d

SHA256
d29469d32da7923be98919474ae050e4639f184b8918d5f842350a7c73f344f3

SHA512
879cae966ad8f743f4a542c77d11037db8647162c18636483cf6d30ad336bb88a0b3cbb76135413282dce66ff207014403a1e13db67d1ce7c50a1ed5867984e7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dce516b8686137dd51f0306487fcfa61

SHA1
9f5f2d95a855e5a61a69314cf3373dc01ff1e7e8

SHA256
74a3070e95119e2d606154fa868a9adfa3dd93cf6aefc20938639bd31b645263

SHA512
e27ee5318ec840d27c4566ee6b3abe1526af52848505a0fd37db1d5af006bb7174c3a95b315914981354d5af40f2555905c2aa5f0330b0ebe9f30c06dcb90e36

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c179e13e7eac85ac9cf483798d35df3

SHA1
157575ca00e0d9ab35aa0bcccb2274f23ae19a15

SHA256
97932a399c6f43b1c372d8d5eaedfbaacdcf5477b8f41150790a59d6464b464c

SHA512
c373ddcdbee2578376c6cc749618a2776f7d3e20523af9214e58ae3104a2ea3877f12ca2c306f81caf555a6fb29984e90c6d6ae01fa250b84fa8ff83fc471d45

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c4af9fb39524018ebbfca6a3e241b58

SHA1
045f1f9c9d14f8e5fa4c77631bb494909e5ef7de

SHA256
c00f932ce6161f0a580d70d3662bf3e7f65c2a825363ac0ddbda6be09e449789

SHA512
47b04a47945489c5c9a9b080256588895ba586f0c0ab1a885e27d049d1777c0184973836fbe0f9bf5f47c4c6d9136700a4c86a76533c9614c59b2d8a5b7429d1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
607776db10c08a263eb5e6e6c6ca5f54

SHA1
bdf715825afe4fc26a8211b2d8616a88b8580faf

SHA256
22eead5593a484c7a3e9479bfc6df43d49efcb1b283aeb004f6593af1660e043

SHA512
ed52d50430ad41b6233e8542d7d9e7f662c293f9fdfd190f834de549ce0b9c40e74b752787dd11d4ac3f2dfde95fd4c3c98b00dcd3ae98c685385f828b90bcb6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e0e42039ddc99b477dba37eede12496

SHA1
fc28141042f60be5731eaef1f5d09f05cd6891e5

SHA256
e9460151b6cde66dbe99faa861ff0ff67cb435288b9e095786e2703eb04ac754

SHA512
38bd41a2a78717e03b04b3e590826660fe1ac7bd85416e844746896d4868ea493db158d2f6be14cc78b751adeb513c4f19305b29a62d9d74202e7bf1bf7a068f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df30271f569b29119e7ecfcbaff4dbf9

SHA1
df453406216401057af414fbc07d9ca87039bf88

SHA256
0354f2a961764513b7b49d0c772ca113e773d0bcdb18d633f175a995e44b0fab

SHA512
c265a0d5241b464cddbc4983f645727cf62eef53c22f293e46959d5aeafe1ff4f138de8f5bb465f3b0aabf5b2e63b0f10de7605fe05d8263724da256633cb5dc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01aeef18c5350be7d58bac479fb3bef9

SHA1
4f3efea272dd50710f7a12a5e19ea10a050619e3

SHA256
cf4807cccf6a5250e2e756e5d79ff813a3391bcbccc3e0ec0195d11f11f621b8

SHA512
9cc2a04bd0a3cfecc649afaf974c80229416c1470c5c6ad84ee6f993b042d899f05d96c29d2ff30928a4d76a03aa928233123ae6feebbbedb9366dc89302b478

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cf1165a9a6dc5429e680adb55c6d0d2

SHA1
06a5791f812fe15b5c2dcc284d0456f5366c6d91

SHA256
17a39cdd578098503e1921f20fbe148775332834b61d556b40cce180ba8f4981

SHA512
ff535f9f54eeb710b78e539ad5c758d74cccdc125c544f7ce51524048f01afdf4761e641fc6376570543f8efd9992792395a296cb21afec6dee3438bdcf32e8d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0be696c00f8ee0de9281df33e767dcfc

SHA1
6d0171b7ab06e50219d0db7e845d268ee218abbd

SHA256
a8c544a103669aa3c886060b6caa9bf15170363822ba03eb954425f6e3c03188

SHA512
a4f5d32b84158864e40fa7aa4de52df3eeca34f983eedf8cc4770e7a063191ea5102e1564503686fbef086e8b10d94158ddbb3547cc24848e5a13970e3c0cce0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91285496c54e8f0bc016f685da0ba0d0

SHA1
78e973b163b11a4b5656c84430723b1a5d08b02a

SHA256
98473c5af97b0a177f28bf0ea88488c1ee287b0526bce75067cf60aa64afd626

SHA512
a221e3bcb45fd6fea65f415ead879d4cc80d1b05b7ee6445e2df6cf9cb7b0b00e36157dac2879fde49ffcd3b137adbf11792f61b1b3a26d88123a21d8f7de87d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41c0669a0b39a6b4c07bdb5264eeeba1

SHA1
1c4bbc61905caae08219e6dbec0080b1c56d45c4

SHA256
78aa54c4e1c7012f37666cdb8d5e8958f3e3ecdc0f2f8852d47f20cd757e19cd

SHA512
3e36a646501a7997b44dcd413235e7356f710813a28501ae01dc0fe19c0c9f19c21b165de7d4f0f3d67f05e5a736b03235c9f39ba783d02c9eef617c11aa14e1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52d57d2086bf7190dc940a3082b6731c

SHA1
687a202bd82258035f65fba07a44606414a326db

SHA256
8e3607801d3cbc9429bf99a90d5da5dbe3419d5f3ec9720798f899708593a559

SHA512
8808bd123c1d39c9913f793e1e0cdff44e89c5877f3b26f1451d7682410e7becf8fd09a2997b14d5962e280e6d8ece61571a7b4014d15d856efc593668a484e0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14ee950685178275eedc919086421067

SHA1
e9f51023737adec73939447cd23bda097ef6deb8

SHA256
c5aa4ad75ec78910a08f7ed1b35b711dc88a389bc4bf563c75abe7954bc6f7c4

SHA512
d7569f8dedde27e9df80ed9e0cdfbd70365842baa198f88e5e6c897b77647295cd192c0479f2cb61ee025b93e81c8e7f34847cc5d42656f8db2d26c5df3e4a95

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dcc414a66ddfdbc7a9acb5ef046aad6

SHA1
7134fdee0ed5f56b0588bbf850f1c0bd1b5c3baf

SHA256
f6ebfcb4fa13ea3e6b43654b7eb8da83d30f09afcf8f0111956167bedabce3b6

SHA512
8399b4d045b4a23ce93277d41984ea15c9486d8fad95df28efbb250d8b833c17d5adb900968d1bd3707a926cc7074597ff54ae9bc7c18cc6799757ecc3e2d3cf

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
804ab64b8a893006ddcb2968858188b9

SHA1
ab953cd32bb8332cf1aac9ac4720ff7cd5e20507

SHA256
0885b7db901f45eaadf5ac196bc0f941fee1a48d3898a66eb32a6e0243427798

SHA512
9d2a9806c60438001077a722468963ef40bcc0be3acc340b2332929690204ef88eff5cce67c7d68864b7a3b1f8680780bb9366e7b429d0d499b544212fae4961

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8310bf9f89e0a3b08dee2e2ac4742dc0

SHA1
81e978d94f50197db68b0856843122648fdf4b63

SHA256
fcbf8146b1e2677b4450c65e9b33d63483401343ccc38606f6c66723022e3e78

SHA512
8451d923ed605cf4a8a21c4d674b9725f2b8659082e9c0a2dd0a8e5e420309d4892431f56d2ab5d803a92538201d831e4eb07a6826d25a3c1e41ccae5bb4c71a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d4f732b2868aeffb251f27b29b1bae91

SHA1
8f20b8247dc0029a8db9620322e6a71b394d3201

SHA256
f467989f8ecd94a708490e6d6565c7259f56fa185db67c2a5576ba66f75b2096

SHA512
ad5eca224aadcd013489b075a388b6e76f50f62126208262b2916b11b25e6e2202a1a51db4675bb1a0f0b1b6a2823c445111750c827f13b8e3bf6521408a9fbd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabCE2D.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarCE30.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarD077.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwC330.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwC340.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\system.exe

Filesize
668KB

MD5
9f2342fd7908bf197c6b0b8838e9aed7

SHA1
14d572f56316a99bbb751fe87948fa292fcee995

SHA256
1e4f92ab6da47a009c181f6902e0317accfbf686f8d8c32c15156b057a82f834

SHA512
49589b7736bacd05f0f6f16442351d94d62b2c5040d90301206ffdc694bb105f8870359c8769051be4d86afaf9e2bb6ad9b9cf20eba0434a9826e3684f2780a4

Download Submit
memory/544-53-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/544-39-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2884-55-0x0000000000060000-0x000000000010A000-memory.dmp

Filesize
680KB

Download
memory/2960-8-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2960-21-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2960-54-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2960-9-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2960-40-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2960-10-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2960-37-0x00000000034B0000-0x0000000003610000-memory.dmp

Filesize
1.4MB

Download
memory/2960-17-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2960-0-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2960-1-0x0000000000340000-0x0000000000394000-memory.dmp

Filesize
336KB

Download
memory/2960-2-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2960-3-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2960-4-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2960-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2960-6-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2960-7-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2960-15-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2960-16-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2960-36-0x00000000034B0000-0x0000000003610000-memory.dmp

Filesize
1.4MB

Download
memory/2960-11-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2960-12-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2960-13-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2960-18-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2960-19-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2960-20-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2960-42-0x0000000000340000-0x0000000000394000-memory.dmp

Filesize
336KB

Download
memory/2960-22-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2960-23-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2960-24-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2960-25-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2960-26-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2960-27-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2960-14-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2976-57-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download
memory/2976-43-0x0000000000400000-0x0000000000560000-memory.dmp

Filesize
1.4MB

Download