modiloader | f4f9a6851a811650698188ef108bafb94a40f572758be3baa81cc9057361048a

Analysis

max time kernel
136s
max time network
130s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 06:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe
Size

692KB
MD5

fed621783d063c1bacc61cde5b76cc50
SHA1

710ce1cf44256b7b5395f372a1832a4cfb640922
SHA256

f4f9a6851a811650698188ef108bafb94a40f572758be3baa81cc9057361048a
SHA512

6ff36681bf01a3ea8a4939ef36d4e8f8ab883f41f2ebd2f9ce32e69dcadde40fb7e84b8df7d7a8da4eab5a942abde4fda4bee87fdb9a0356b523820667a7ee7a
SSDEEP

12288:dAltGgozqi5paO0lp9USQVUSyrkA4YZ6J+v5NdTgxWaSTAm:W72eas1USImaYIwPuIaSTJ

Score

10^/10

modiloader discovery trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 5 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001202c-2.dat	modiloader_stage2
behavioral1/memory/2024-11-0x0000000000400000-0x00000000004B3000-memory.dmp	modiloader_stage2
behavioral1/memory/1500-19-0x0000000000400000-0x00000000004B3000-memory.dmp	modiloader_stage2
behavioral1/memory/1940-21-0x0000000000400000-0x00000000004B3000-memory.dmp	modiloader_stage2
behavioral1/memory/2924-20-0x0000000000060000-0x000000000010A000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

pid	Process
2576	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2024	Xentare.exe
1940	Xentare.exe

Loads dropped DLL 2 IoCs

pid	Process
1500	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe
1500	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{98870F81-BDD3-11EF-B1C8-5275C3CFE04E}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{98870F81-BDD3-11EF-B1C8-5275C3CFE04E}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{98870F83-BDD3-11EF-B1C8-5275C3CFE04E}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{98870F8C-BDD3-11EF-B1C8-5275C3CFE04E}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 2924	1940	Xentare.exe	32

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Xentare.exe	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\Xentare.exe	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SetupWay.TXT	Xentare.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xentare.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070c0004001300060024002c006d00	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 010000000000000080ad585be051db01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\22-73-d8-da-7a-f5	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\Flags = "1024"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070c0004001300060024002600e400	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\WpadNetworkName = "Network 3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0117000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Flags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\MarketingLinksMigrate = 60aa8a5be051db01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4055D111-DE44-40F0-95D5-7ADCEB12E7C5}\WpadDecisionTime = 20541f5de051db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070c0004001300060024002d008e0200000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-73-d8-da-7a-f5\WpadDecisionTime = 20541f5de051db01	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2024	1500	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe	30
PID 1500 wrote to memory of 2024	1500	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe	30
PID 1500 wrote to memory of 2024	1500	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe	30
PID 1500 wrote to memory of 2024	1500	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe	30
PID 1500 wrote to memory of 2576	1500	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2576	1500	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2576	1500	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe	33
PID 1500 wrote to memory of 2576	1500	fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe	33
PID 1940 wrote to memory of 2924	1940	Xentare.exe	32
PID 1940 wrote to memory of 2924	1940	Xentare.exe	32
PID 1940 wrote to memory of 2924	1940	Xentare.exe	32
PID 1940 wrote to memory of 2924	1940	Xentare.exe	32
PID 1940 wrote to memory of 2924	1940	Xentare.exe	32
PID 2924 wrote to memory of 1716	2924	IEXPLORE.EXE	35
PID 2924 wrote to memory of 1716	2924	IEXPLORE.EXE	35
PID 2924 wrote to memory of 1716	2924	IEXPLORE.EXE	35
PID 2924 wrote to memory of 2836	2924	IEXPLORE.EXE	36
PID 2924 wrote to memory of 2836	2924	IEXPLORE.EXE	36
PID 2924 wrote to memory of 2836	2924	IEXPLORE.EXE	36
PID 2924 wrote to memory of 2836	2924	IEXPLORE.EXE	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fed621783d063c1bacc61cde5b76cc50_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files\Common Files\Microsoft Shared\MSINFO\Xentare.exe
  "C:\Program Files\Common Files\Microsoft Shared\MSINFO\Xentare.exe"
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2576

C:\Program Files\Common Files\Microsoft Shared\MSINFO\Xentare.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\Xentare.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\program files\internet explorer\IEXPLORE.EXE
  "C:\program files\internet explorer\IEXPLORE.EXE"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:1716
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\DaverDel.bat

Filesize
212B

MD5
8e16803845905d41304c2f5697c027f2

SHA1
0b46a2a052cf2f833cb0b62692dc1a3bcb8fd53f

SHA256
c98cc80067ec23cab573da628859d4336ccbf8cbe867c441c1a4af8cb417594c

SHA512
c2f7d11005d2f44797999a146c9c507337ded747eafb2d0c87e0953446356b71090400cb47f72c3a82ddc894165408b7a8984711b9537c705fe2e3cd8a5ea50b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
544ab9794184252bc3db4a57b294cc0c

SHA1
4b69373e117e0c33b6b9d0c8f669473ab2e5806d

SHA256
42c0968e2475c497e24da2cd969f36772489a92891a51c9c443f21dcf684e8d4

SHA512
f28359625bec05536337fe7c60858905b0698779dc07d71974562ea0808f8f890460d12cc54ea0d3e402ab8c4e5a08e6086bea45d78bfe2fa433a8c7317acdee

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3398fffc37c5928c74aa0d00af10a340

SHA1
47504827daff1f5693e0410aac375a81f3520c27

SHA256
ba0d6bae5325074ad9a5f075f7ebac63201ae9bebbb8cd30871bb40612f5cc83

SHA512
be166e766f50dab576d077f0de9e17daca7a26211fdb8e672e883a72488a974b50336b1517f157d9efb0268326b2d3419337da7ab4e230696ea967ad39b68e75

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5de47eeea7cdafcf8523428d75c189af

SHA1
2d85327625dc4f4acbf55c8f5728784be9f549c3

SHA256
1c26b8d04a7bf6cd524ad2dd67506c11b1299de5a346997fb77d7eb8cf1f4fd8

SHA512
9116a25b80dac51f963042b9e6a285147fb3cda12b148fc92a899342242badf190aeeb317b57016ea7f8f659565fd0a5a830092653c7dcfdc2d642917a09f8e4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4f3b6dc2d7ee8eda7af4197aa436dd7

SHA1
b3396161cd64045cd5500b93a2bea856dc44f9dd

SHA256
99d3847d13ce9ef08af89e6e04d2b2902474cb07a8c1dd92d3161a3c803e37c7

SHA512
c7f80460656c80855c6f80fea37ff6dff80eec0807eaec864064c9e2bd7e00e54812964b8eee4d6fe56dc687a21546e5bdeced93f30477515885763e32cfd624

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06142bbf8a843e0d896cfa0961d2d48c

SHA1
799c6fc99a828eafb53af33ccb30903ba90c6f96

SHA256
8aa376ccaa7c05a8dd4b0583932a9880de051d2f399896936cc14f4b7abc62e8

SHA512
769cc6a21224454fb145cf24550f1a4460cac93936160e3d41bd55725b357ac54d5756a4d87309ac2400169af539a2946a409d89962e3a3e6cc60bc3dde59103

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9c932d78e8bf3154da335ca43d5a6fe

SHA1
8c21ac2f31b5e6c1b7cbff4ed55dad7b5b6f699f

SHA256
5dd90f2d348d22ae1bc037e077c336aff5a8233fe87736da5cc32dca54ef78e3

SHA512
a6a7de5ae5c0fd40ef3e6d8e2b3888c11509802e88c3b9d401fecc3eb380a52b18f2b77938a1d46ca8ff2193dabdc994662fa9364f4df368a41bb9d4858287ee

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bc09751a86590e1cda0c767ec63b6bb

SHA1
c6a0089d7357ef2d9110b5b5ad285290d172fe5e

SHA256
340ed5856d744eb2f9b78ba9fd3132f83ab11eb75dbcb9824aba1284f300632e

SHA512
e1a8e21c61441d49490f934e3c2aa155fe957b2d7314de43f058798c1cb3428cbded37f9f69c1fd9f1dc41ce0d4338567a6641ffdc8248ce78812fd9a44e2887

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17b15c5deaa9bfed931b182302135952

SHA1
e4e72b2f7cb2df51aefad9dc3b36f1f670fc3f04

SHA256
2f8e744127b4ba3749520aa51ae4bc7c5d2905713007ea556a2901992eeb2717

SHA512
fdb0ae72062f98a39d408a38f2e2fd771b5b204cde5060f18f9716995be3e3d978322d031c54b744e1c634c3f4b212cb822aa883f6bad1ee2e47654f6e748f2f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aaef40f4268380d33076f898276b788c

SHA1
7603f14c02f8dc4583020662223025513b888f3e

SHA256
3a39e79f75398df4a6a0b5900246ab22b8da275d0763e770691011210cdcb26a

SHA512
39cef6495224d555193475a05827053698662c738509228ad718fa6657f7c5a9527a6df188e9c4f24b9967c70299a0e9879d2ddfde03b30ed50480c5977d7824

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8cb0d068082b2bbd4448ec81e8379db

SHA1
eb27a9b733e4fb6adeb6d96a62fe69efc44bbd87

SHA256
bff3cbf634111b258ed0a22cb94d49af4b858b5a6707721d347a22380b877ffe

SHA512
7fb34441452b04f1c00805039a636dc4f7670f2ddfac3768c597e565a0a33a0daf3d29f38cdcd5156258b64f8096eaf8a37373a96a0e5c83eaf4be99d42b652d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f8e03ddc4ba2145e380655cde7b8f10

SHA1
6e94c36a387f6410e6d8e0f05e2258385840e25d

SHA256
0d36a3e17ca8c3d71bfb8a16576629ecbf41527d8d72b6ff7d1973a2853d6372

SHA512
8266d45d88b717d01558d91468a463fc49b30718166c26d64b5ef7de0229ec70f9d90ed3f8ea02c498091f8cab39d81fc2fea7bd0f24c74ea0354171e597796b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3d9800f8854630cb8a6968347777b4b

SHA1
8baf3f0ac6633024494e2d0b1aa3573d0b909146

SHA256
f983a9c0eec05ad3863aed2c9cb9df358cb45cea7d41109db0ca9b3a06f714c2

SHA512
bf9bfb8d061286e27e18c8f5929d4043c7633b88bfee3801d908a66f33bf3d4f8a859bf9b83edba243f3e31d6b2364d8ad93eddfb916406183695ce56c07eb37

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c01ce0019b301f5a68c4e85ec058371c

SHA1
d4fc6575d66ca1a3e10a468963a6e573f17036e5

SHA256
cdb7c8f286a3095a9391989672d96348a473a95756b68124c08b8e72117749b6

SHA512
c1769745c27bb3f2f44001acaf8f7dcd76d11478cb643fc505846a24cbd4a94bf2ac67a56de45667122e37c96b84c541ba9237130e6cc38cb6d6c18ef1876632

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb3af7e2420166e5f515694117a21e15

SHA1
8f065cb681164b22201743a3a208c7201fd19c81

SHA256
13e414f61cf2fc3281800a6ac4f6e506a8ef21f01d540c2888aae47ca3cc5518

SHA512
6d551d0e615f45ba239a6a8f9c86a072d25f55f0f6fd1bfa7ed3b58627054f49e0e0744fa06c36a424119f9f0c5fbdbdea0519317ae4e54f031263fc3dfb2537

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e18bbfc963e1606f466a0df33387c1f4

SHA1
6b475bfb045c7c51832419b229c0d3420a62e998

SHA256
1c71501f6033845ce8d3d94ed1b85330e7bb048cb4abffa4e5771ab4b1f019ba

SHA512
2c0d3b6053a7b711c4be7a40525529da37980cf1daf75655371b354e076fdb0743bb0073af5171952ced944578a7cb5d8a7185ed49e76b54bb8c1c8ca143b36d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3405375d1772b6b0a22f5dd36faa7a43

SHA1
428f46610bfa62bb57970f435b857b3e1c422d6c

SHA256
b1e444421b95449fb1c4422c53784d1e27fc7ad1333330b36c1af7979a1a2bc9

SHA512
610a1e20200804ebf8f049b4e012604ad8594229896d05c2c5f77cb527add7b80eec29caa9e2c745d7bfc0ee5e0dd68f447b4f75238b8137016e2487114259c9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
393655dfd06e393fa30527b03f6e7068

SHA1
b27b1a21255a12492d9bcd29172cbe79b45047c7

SHA256
cd4f8734f2b69967d5add9c27e1611d0b81d295e54970a7271b7beeb93406c9a

SHA512
f8568186aed41dc51b8d80b3b7012c372b37239138c400515284cdddf96288ffd605b3d24bb23a9d7d549e4ecd36ecd07bc3ba6a04707b9d6e11238ee81920b5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9414b9f657687a1a45d874850da40c0c

SHA1
4a59943682f0ed17b19bf5fa92b3d6b440a144ec

SHA256
adb65a2ddf12721e1c58d85a4b8a9afbaa8956ab0d49bde2d91f915a6724c114

SHA512
7e154ef968611be16884bfc4ff16d21b145a4666fbf89bd3c5227964af60d6b23229bd5117816338beca08097eca6d24bcf7bfbb8399ab5bdc2afc1d1a93d6db

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e70d12b0820e850a070aee831d7a634

SHA1
83a102c713f0ecdf0839f68b2cc0fb6eabdef3d1

SHA256
510519cd6d82fcf92d699e96f256e836e6dafa45a8b3e8a9c47235d57605446c

SHA512
6fd8726a84ca2e61aac7563ae58766f6e433a69966f21837b5ab605c54eec3f98826e6cd6ee9db2661663388864395b9bc23398584e97347354c909d37c6e0e7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
14cf9bbb6b877125716481e73b4c85d0

SHA1
2867aa8694dd7679f9a8c6a3bb8500a0cccade65

SHA256
c4bf3a1235ea3ec64ca65ea994824e7b1e43d01a0087504f9232a8ecd6e75755

SHA512
b58a99e3835a8e63abac55d961ce9afe409f72c851e76d9378c60c388339217f020fe2f8e08b9d073310ac5ca0449a825cb4773e743e1287874344aac0903019

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
174B

MD5
1971d71c62ea75c4f433476600caa4f9

SHA1
428e9b5498ba9746c123ebf3ffd86a14f73878f3

SHA256
3f7e7774532126e2c175de962ce9d620471f4ac75463457e1b93ab615abd4de4

SHA512
88667b670c3ffc78b442e0767ca0ea2c1409b8a2c5f18e69496831f7bfa7496e54843819fe725eda06de6deca9ba9dd769d4b5f3ade4126905ed3b1bb6f94422

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabD406.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarD409.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarD5F3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwC82F.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwC830.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
\Program Files\Common Files\Microsoft Shared\MSInfo\Xentare.exe

Filesize
692KB

MD5
fed621783d063c1bacc61cde5b76cc50

SHA1
710ce1cf44256b7b5395f372a1832a4cfb640922

SHA256
f4f9a6851a811650698188ef108bafb94a40f572758be3baa81cc9057361048a

SHA512
6ff36681bf01a3ea8a4939ef36d4e8f8ab883f41f2ebd2f9ce32e69dcadde40fb7e84b8df7d7a8da4eab5a942abde4fda4bee87fdb9a0356b523820667a7ee7a

Download Submit
memory/1500-19-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1940-21-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2024-11-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2924-20-0x0000000000060000-0x000000000010A000-memory.dmp

Filesize
680KB

Download