modiloader | da40cf61eee19f3a427e9697956aa7af9a46c942461795bef1aa3dd385d4ad44

Analysis

max time kernel
117s
max time network
134s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe
Size

690KB
MD5

19c9ac3ad43cfef8c4a5cf3640f6194f
SHA1

b256386cdf83edc56fa76cf0e8828c3b62991c51
SHA256

da40cf61eee19f3a427e9697956aa7af9a46c942461795bef1aa3dd385d4ad44
SHA512

e75308831ed8d5e7ab24b0d122775d966b9d8dfd7ddcfaff57b6615623d7558b9b1b6d89a28051188f6b220c3633e0c8af0a8fbcc01cabdd6087c6689ee00b71
SSDEEP

12288:0dtGgozqi5paO0lp9USQVUSyrkA4zZ6J+v5NdTgxWaSTAzG:m2eas1USImazIwPuIaSToG

Score

10^/10

modiloader trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 9 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2184-0-0x0000000000400000-0x00000000004B3200-memory.dmp	modiloader_stage2
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice08.exe	modiloader_stage2
behavioral1/memory/2184-10-0x0000000000820000-0x00000000008D4000-memory.dmp	modiloader_stage2
behavioral1/memory/1932-12-0x0000000000400000-0x00000000004B3200-memory.dmp	modiloader_stage2
behavioral1/memory/1048-14-0x0000000000400000-0x00000000004B3200-memory.dmp	modiloader_stage2
behavioral1/memory/1932-23-0x0000000000400000-0x00000000004B3200-memory.dmp	modiloader_stage2
behavioral1/memory/2184-26-0x0000000000400000-0x00000000004B3200-memory.dmp	modiloader_stage2
behavioral1/memory/1048-29-0x0000000000400000-0x00000000004B3200-memory.dmp	modiloader_stage2
behavioral1/memory/2744-27-0x0000000000060000-0x000000000010A000-memory.dmp	modiloader_stage2

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2952 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

rejoice08.exerejoice08.exe

pid process

1932 rejoice08.exe
1048 rejoice08.exe
Loads dropped DLL 2 IoCs

Processes:

19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe

pid process

2184 19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe
2184 19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe

pid	process
2952	cmd.exe

pid	process
1932	rejoice08.exe
1048	rejoice08.exe

pid	process
2184	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe
2184	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe

Drops file in System32 directory 43 IoCs

Processes:

IEXPLORE.EXEie4uinit.exeIEXPLORE.EXE

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{228544F1-3539-11EF-A155-FAD28091DCF5}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{228544F1-3539-11EF-A155-FAD28091DCF5}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{228544F3-3539-11EF-A155-FAD28091DCF5}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{228544FC-3539-11EF-A155-FAD28091DCF5}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE

Suspicious use of SetThreadContext 1 IoCs

Processes:

rejoice08.exe

description pid process target process

PID 1048 set thread context of 2744 1048 rejoice08.exe IEXPLORE.EXE

description	pid	process	target process
PID 1048 set thread context of 2744	1048	rejoice08.exe	IEXPLORE.EXE

Drops file in Program Files directory 3 IoCs

Processes:

19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

Processes:

rejoice08.exe

description ioc process

File created C:\Windows\SetupWay.TXT rejoice08.exe

description	ioc	process
File created	C:\Windows\SetupWay.TXT	rejoice08.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEie4uinit.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807060005001c000a001c001300a801	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807060005001c000a001c0019006902	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = b08f35e545c9da01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000454ba99265b2f24b9b7556073ed8734f000000000200000000001066000000010000200000006ec3959bd25e692894b019a618d0606a0b415c6592ac01f73fea51621e34d8a8000000000e80000000020000200000006ed25b72ff34f3b92d55fadd724b25e15ae9f172a8479f0af09c7f434cfcb802500000008de598d5f15eab7c496ca022de6fb8da79c6f96cbefcdac7437173f0018710709ff4af7ad334d3e66b5901c03d84964e157ee0e76090d8458b911011e9844e1cd6bc2b35ea487199d1dc37804271c52440000000fd8506875a9888cdd9feb514163d67abbe9a643f377f31f4c627675ec774e5bd433d1fbec78f4740c692e172adb9d2c0010d5884e9fc0071d2fff161a520e76d	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807060005001c000a001c0019006902	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34D5B593-5A46-4C36-AF10-36B0F433E1BE}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Flags = "512"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807060005001c000a001c0017000c0000000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-05-8b-bf-89-06\WpadDecisionReason = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807060005001c000a001c001a00100102000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807060005001c000a001c001600cb0202000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807060005001c000a001c0013006901	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-05-8b-bf-89-06	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

IEXPLORE.EXE

pid process

2744 IEXPLORE.EXE
2744 IEXPLORE.EXE
2744 IEXPLORE.EXE
2744 IEXPLORE.EXE
2744 IEXPLORE.EXE
2744 IEXPLORE.EXE
2744 IEXPLORE.EXE
2744 IEXPLORE.EXE
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXE

pid process

2744 IEXPLORE.EXE
2744 IEXPLORE.EXE
2552 IEXPLORE.EXE
2552 IEXPLORE.EXE
2552 IEXPLORE.EXE
2552 IEXPLORE.EXE

pid	process
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE

pid	process
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exerejoice08.exeIEXPLORE.EXE

description	pid	process	target process
PID 2184 wrote to memory of 1932	2184	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe	rejoice08.exe
PID 2184 wrote to memory of 1932	2184	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe	rejoice08.exe
PID 2184 wrote to memory of 1932	2184	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe	rejoice08.exe
PID 2184 wrote to memory of 1932	2184	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe	rejoice08.exe
PID 2184 wrote to memory of 2952	2184	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe	cmd.exe
PID 2184 wrote to memory of 2952	2184	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe	cmd.exe
PID 2184 wrote to memory of 2952	2184	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe	cmd.exe
PID 2184 wrote to memory of 2952	2184	19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe	cmd.exe
PID 1048 wrote to memory of 2744	1048	rejoice08.exe	IEXPLORE.EXE
PID 1048 wrote to memory of 2744	1048	rejoice08.exe	IEXPLORE.EXE
PID 1048 wrote to memory of 2744	1048	rejoice08.exe	IEXPLORE.EXE
PID 1048 wrote to memory of 2744	1048	rejoice08.exe	IEXPLORE.EXE
PID 1048 wrote to memory of 2744	1048	rejoice08.exe	IEXPLORE.EXE
PID 2744 wrote to memory of 2756	2744	IEXPLORE.EXE	ie4uinit.exe
PID 2744 wrote to memory of 2756	2744	IEXPLORE.EXE	ie4uinit.exe
PID 2744 wrote to memory of 2756	2744	IEXPLORE.EXE	ie4uinit.exe
PID 2744 wrote to memory of 2552	2744	IEXPLORE.EXE	IEXPLORE.EXE
PID 2744 wrote to memory of 2552	2744	IEXPLORE.EXE	IEXPLORE.EXE
PID 2744 wrote to memory of 2552	2744	IEXPLORE.EXE	IEXPLORE.EXE
PID 2744 wrote to memory of 2552	2744	IEXPLORE.EXE	IEXPLORE.EXE

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19c9ac3ad43cfef8c4a5cf3640f6194f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2184

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe"
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Common Files\Microsoft Shared\MSINFO\DaverDel.bat""
2⤵
- Deletes itself
PID:2952

C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe
"C:\Program Files\Common Files\Microsoft Shared\MSINFO\rejoice08.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1048

C:\program files\internet explorer\IEXPLORE.EXE
"C:\program files\internet explorer\IEXPLORE.EXE"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

C:\Windows\System32\ie4uinit.exe
"C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\MSInfo\DaverDel.bat
Filesize
212B

MD5
27f5ef967d6cf984d8b775d54ecdfaab

SHA1
9f33945dc67bc28ccae0f4639ed7e810de1bfdf6

SHA256
de58923fa2879badda447c32ac42cdf3990dd4339999d7d31d70af384ca8ac09

SHA512
1d86a04c61da6743d863cde770a14797a2184f247b166ac44e1b932232fd466beb95beddb0a331e5a4e0389f65b78e3d99874088d482f1a96afb78b59b0342db

Download Submit
C:\Program Files\Common Files\Microsoft Shared\MSInfo\rejoice08.exe
Filesize
690KB

MD5
19c9ac3ad43cfef8c4a5cf3640f6194f

SHA1
b256386cdf83edc56fa76cf0e8828c3b62991c51

SHA256
da40cf61eee19f3a427e9697956aa7af9a46c942461795bef1aa3dd385d4ad44

SHA512
e75308831ed8d5e7ab24b0d122775d966b9d8dfd7ddcfaff57b6615623d7558b9b1b6d89a28051188f6b220c3633e0c8af0a8fbcc01cabdd6087c6689ee00b71

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
d2c852b9dc7057fcbdb5a4492ea24715

SHA1
593cf4fdacec476aeb74842829fcf418d223186a

SHA256
58811776db25cd0476fed238ee9b99d1863f7caf4ccab8257a54532ad1dc92de

SHA512
68d61956a1ce083e3202b2e8c053e3bf4cc662f48f32b40ad08d5e696caa16bb472c83f7aca5a6e5704e09ba937191aa722f27a092bfe1ca0b41b5da287d18f0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b78865e27a0371526159cfaed2c61080

SHA1
05d63157548d38d859c238621bbe6a8071791776

SHA256
8869f22e4c9dee94923bcbb8cbec6b25891397638d919c2ede1bf036e88e961b

SHA512
94ec292f934034187eda336c654fe413e42804d391f31dc070237765692fb33400a418d093ee96093a9cc1acd5dc0fd342b230ee53641d7b4fe40d2943d8fab6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
30dd1192cf36e16692799eb1aee9e5d4

SHA1
ee8d357c905cb31a69436e9042218b3f4dc2976f

SHA256
947da7b06310057867b33e3858e12b7a7bb1bce4fd5e76b95d52ccb0455395f0

SHA512
ed4daa62feeae976dcd0acf3b5639b1b0915824e6b811ce7acde3855f54162ba566f161d8d15168d679e227e16bce1f7501d467b17ae8761b671280187fe927b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d2342ae32501c4b440b612a0ba3f37c0

SHA1
cf8f3ed5dfc1c8f2b287c2b67d7aa6189bf69112

SHA256
42c80b31587d91fd86673bcfaf8da3e48240b7e18fb8e2bd6106cf9a6e616252

SHA512
b689a9bf0da0fa7561efc70a952de020cea1b99d5a6081e26f3a797cbc09ea880aba5750276fb9baf594ef2f8ba6b50f49d80194060a0ca929a2790573911ae7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6773bfde4026bea321ee1c5e5d26c016

SHA1
35db48dcbc5419f236a5a1fd81da9c4b58f88835

SHA256
11a3e4371f185cdf08516dad13e2f9a79ff0f4be649822cdde9efd6b294d8c33

SHA512
47e0086c2195cd4236dd7a0c05ce3b7bd93b210708b083e8304def3ab5028d9f5656ccffa0f23b458692af08599c2f255e6b2993e60538ca5599e4eca4ff2939

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
78370227009bf4ddc03abe00a25b1bb3

SHA1
7f0b862a7256fe4e05e0b6685bf66f97d2b69afd

SHA256
fc7bc68b68c5627c8bf96980815e8a5fc874ac753636f698680d6ec50fccfdb8

SHA512
ddd38cf7685d7443a930390d5d6111334e52f8aa49afe85803ebbc59f36b95c46d662ba36fac62d4206edbcc613e39ffc46f86167d74ee738ee86b6c82c9f8ef

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3b8d1294b8abd028652142ae68d2436d

SHA1
84e50427e23ec8c26d389e9599c7af1761f9ff09

SHA256
d531cf5770bd8701d3dea986b25f057b7d5163234e77b81f7ddc5b4d2047f3a6

SHA512
dd6b41da22cab3e0ab3a2fceb08da272e57825e29752772e39532d2425c8211810edbd12fba3d63db1186ab59f228989bfde32726b53a5853db50d9306017f5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e9953b5d554a47dd75fae116d9b59e9b

SHA1
95a0fd231a0d7ff75c0dc9d9f411d4e9443a6b44

SHA256
0a95ac99f65e588016e36f6a20a711d3cbf705a325decd033fb17461859041e4

SHA512
d65dd8774a1df3c7eee64ffeeb1e7eb15c75e6fc2d1b832ac3019dd9db9348804db7127c0fd42bbad16df3c3b8783f75ee9be38b3fa339884e219b5716a37e9d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c5b40b90b3db1d9e1a72a8d2949d12ba

SHA1
4dcf2c50b62cfcb9f022623160ae9dadea16a28c

SHA256
79bce687f81cbca420eac099135061ea6e7fb62aa01bafe69363682869717481

SHA512
207374ae7be81a6c581f10308304c47fed773d35a022dbba67d6a2e962e4ed2d6949524bbcb291e4cb69b2080c387b23aa79dbc104df066beac3bcd1c9e0de08

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
59620537c4475f959024de7dd93a85d2

SHA1
6de01f6a8b3a568f6396142b4b2ea3fd7bc82f9c

SHA256
98d43439660b50cee72d77eddbb3ced23683828acdb9b66d042680f855f41fa9

SHA512
02d53716341cb7cbf6a01416971b87a216d19edc90d5730398f85709e6090091fe1911e7b69dca64563478db8498533a4105e4d78e6ca28dfe23c3688f9c2021

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
072ae2ee1e5693752e3c7c50ba482471

SHA1
c23d267cd424359c076335ab4c5d4dd444319c5f

SHA256
21a3c6d3d93d43460f51b9e857f6ce82dee0157185c1883209eeef50182f65e1

SHA512
ceef34768b09bb44cde6d218ee6500e4d21e1343100900301d220e5d6006518e6f32bc7b442ca07ab28fceb5fc4ca94ca235fea14a53dbb40787c093df62b316

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
60a637bbeb73435bb4589fa96db81993

SHA1
f7dd7d2fa109d65e8834d0ff44b7c2872972410a

SHA256
101669b4ba045992d97f8995a11c550a33880ce08aeabf77813a810614d6aa7d

SHA512
d01556fcc2432bfc3bec64af7dd1630dfdaf9011f1069d247a4a8a3da863ab4e3cf5207360cfd13858e7dcbf4199d411abda2da64ad436319de364adb397a4d5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
db2d12431a99e80947b86454e67aba0f

SHA1
619f4baf5ea0fef68af1e176d4ca0c7dbcd9c3ec

SHA256
a88625906b4eab244668e58de1ab1c1d96837329198de46de0e93374e08ffffe

SHA512
252c6386bbde1bfee84708ef684f5e757a77af9ca57c4b01c42e97ed592744df128bd9a7147fc3ea15fd90cefa8f2d8a48815ebbda3897ecf7fef4f9afbed2df

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ad013355b12c49692d56de47b0edd1e5

SHA1
932e99990332d45cdee5299d0d71afc010100454

SHA256
688ecfd36884429844b465c0367d695f912c2ee2349edd43e3109e972be13dc5

SHA512
4dc2941b7aa8b20172ce5a3000e805acb7981ecb10de942136fb9ada05f86b6efaa26df1d824b68e06cfc02348391d480ed84dc3244407d9070cb70ce4ec1ba0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3f680d5b0110eb3c456193a234cc2147

SHA1
51eb14feadced940b65cf8016513f117d5e59887

SHA256
502c2694431b979a1049d5065194095e5ab0250e3662cc6fd5400c370974f3ef

SHA512
3c5357042cf2d090aaaf577e50b708605c4d7d2d94a4c194f4585641448d5ba29411295e3d72fcadbb40bf995a8bcc18e7ea0bd0af0fc6d4fcad7e3a15c4950b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9346b8cf5050102c4b8a12bf3e93b195

SHA1
7d4c71be82c2cb1e47641fdbc6b4e86f43e823e3

SHA256
13c645ea6ba011b001837b22327354077aff6bb08cce10069f8a0b5ac44c28e4

SHA512
a9e2259dce4b55b537fe7d9ec856fe4b9ce03cfad8892fe06f28f9b9fbdc999fb950751c98365372f2d7d113bb762d186ca854663dc90c014506dd065cfb535e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6e62eb0991a32ca9488e55ab07cc9ff3

SHA1
d0ddb80393f627070edf188c2e2cf3e9f1f7a521

SHA256
41b2e6a3d625694e407933bc28c566cd564c9318257da59e5d536278674d65d2

SHA512
231a9b900f6c9bf9526ba319d57b5b13d31c46d9c7679f374ade0e2867830e35a16319fff2e6ec99babaf7ac37efa83451fd3571365872e915f8fe306731bb6a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4de7fc51df1579e8787e3ba8032f31af

SHA1
4823b3e400137260c6e6c69c35c635700eaa7155

SHA256
f22c0eb662ef9d394dea404b1d84113ab6f5a48a6213f3eba30dfa7392c8fd21

SHA512
1882c033700e6cfd4bc99b8a162568e477b79b1e0101d8a45cafa00e84b7f630ca19a8e2a0a633431852a4629f50f7da99be1ce1e8177810eacb00d7879c1d22

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6066e94995427388fc926bfe4651be96

SHA1
92a5506e31642a904f2d4364e109af4747ffd4ef

SHA256
b2bb57014e96a517fc2448373a79bdfa4b82208286b16c332cc0a9c74c75ddc6

SHA512
bf44073c6fadd858923ff4ad57deecc21aaadc70b3fb8ba8cbbbbab448f69cdb0756698153ad939e7979c328ae264554c64e9fbe835fd5550cd5c7d6a9d640c9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
219c254ee44777b4229c025d30e59dcf

SHA1
6d11aab4ec4dfdbdfbe32e45c2d304682d3078bd

SHA256
82f5bebb85eacba06fa8c324ff3edbc1e2dabe030eb36030d98f70ba0351d995

SHA512
f48b8bc456bf0ac7e7a1b97777d741a585934ab9ec32ece3309ecbe90576528cae414b0af409ba612fe3869b07c8ae6c72349b2f5e7359903a3d7dc960d6c626

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
01f7ccc96fcfd3eeaa26036a00cddcdc

SHA1
5c7fa3a9abbcb4928ce833ac4c929c1b32a9b053

SHA256
a092b27f7b909e6eccf5691d9d078277fa0e3f6f5044de9161c4e5997cd804d2

SHA512
a2fcbb1f244aca50e559896ffcda35381b02daa1e3740bb6dd46052da7e892485e03e5b4ac6e4cef227bb49090ec2cd20e64e91f903c32316bab8603c3146261

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c46de1c32ce2fc79eaa37876ef47084d

SHA1
9608aa4a3c22c44a4bfce8eca657127b8589a86c

SHA256
cd3d86502546fd9e920c877f161e9d2df8bbf18a616903aa45bff387b8812118

SHA512
ce0ee843ef59d1ee34188f82575f43b26a4f0fdf6fafc1a910a8903cbed61274b33a147f471edbbbbc11190d32b3b0a069d6d80adbc5c97edba18ef75b9ec823

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ae630051656237039aa65f33dd27b4fd

SHA1
ee7860d7a6efd7f24a4211c6a94fdffa97a8a51c

SHA256
0f3fbf2159bd49e8aa54e410a298d95baf275b1641262188e1f951aa528e941c

SHA512
a0771207db74dc474e0db8e3a500af029023904700af188268ae3e73aa3def5762202beeb0b503f93220ff6a2461fded8827bc68675125aac7a76ebb0cdbc397

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
e1ebd00f3388dc0ced35ce3bd4e6a8c6

SHA1
f57344fde8a6dbb467cb3f438db5894467731c7b

SHA256
2f856f66c596a7e2490e0ed2e1a22dea6fd3a7f8f75098424af25fc17bda8192

SHA512
382ba71429fec3021d63c139f9417c13f933e736ca3880a8cca26a039cb95c70726f0b221a0a4806ef1bc35b72ddb8a646337690cca7fe3287cf62190f082145

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url
Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url
Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini
Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini
Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab7E68.tmp
Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar7EB9.tmp
Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar8332.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\www71D6.tmp
Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www71D7.tmp
Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/1048-29-0x0000000000400000-0x00000000004B3200-memory.dmp

Filesize
716KB

Download
memory/1048-14-0x0000000000400000-0x00000000004B3200-memory.dmp

Filesize
716KB

Download
memory/1932-23-0x0000000000400000-0x00000000004B3200-memory.dmp

Filesize
716KB

Download
memory/1932-12-0x0000000000400000-0x00000000004B3200-memory.dmp

Filesize
716KB

Download
memory/2184-0-0x0000000000400000-0x00000000004B3200-memory.dmp

Filesize
716KB

Download
memory/2184-26-0x0000000000400000-0x00000000004B3200-memory.dmp

Filesize
716KB

Download
memory/2184-11-0x0000000000820000-0x00000000008D4000-memory.dmp

Filesize
720KB

Download
memory/2184-10-0x0000000000820000-0x00000000008D4000-memory.dmp

Filesize
720KB

Download
memory/2744-27-0x0000000000060000-0x000000000010A000-memory.dmp

Filesize
680KB

Download