45bd8b9f26ffc735b39361c6579a45362fb177cb62c8fae6d3902c9834a10dea

Analysis

max time kernel
270s
max time network
273s
platform
windows10_x64
resource
win10v20210410
submitted
10-06-2021 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fgf173.exe
Size

3.1MB
MD5

aa87b7c2b72228d50368248accf4ea37
SHA1

70c479dba1c5980ee68e60fadca2aa39e834ccd0
SHA256

45bd8b9f26ffc735b39361c6579a45362fb177cb62c8fae6d3902c9834a10dea
SHA512

2b0665f8516d4a0dc701f3b5c212bc348aaa66a5a3a54a89b2c75cf27961a96cb86fb05051b1a20be22475bbf365a6a353a3f1702eefad9090309259d838a798

Score

8^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

GLJ1851.tmpGLJ1851.tmpGLJ1851.tmpflashget.exe

pid process

4056 GLJ1851.tmp
3944 GLJ1851.tmp
2084 GLJ1851.tmp
1272 flashget.exe

pid	process
4056	GLJ1851.tmp
3944	GLJ1851.tmp
2084	GLJ1851.tmp
1272	flashget.exe

Loads dropped DLL 11 IoCs

Processes:

fgf173.exeGLJ1851.tmpGLJ1851.tmpGLJ1851.tmpflashget.exe

pid	process
780	fgf173.exe
780	fgf173.exe
780	fgf173.exe
780	fgf173.exe
780	fgf173.exe
780	fgf173.exe
780	fgf173.exe
4056	GLJ1851.tmp
3944	GLJ1851.tmp
2084	GLJ1851.tmp
1272	flashget.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176
Drops file in System32 directory 1 IoCs

Processes:

fgf173.exe

description ioc process

File created C:\Windows\SysWOW64\GLBSINST.%$D fgf173.exe

description	ioc	process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	fgf173.exe

Drops file in Program Files directory 64 IoCs

Processes:

fgf173.exe

description	ioc	process
File created	C:\Program Files (x86)\FlashGet\language\~GLH0006.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH0009.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH000e.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jcrom.ini	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\default1.GIF	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\License.txt	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jckor.ini	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH001f.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jccat.ini	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\Skin\Normal.ini	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\Normal.jcs	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jcrus.ini	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\Skin\~GLH0026.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\unreg.inf	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\Skin\Sky(Gradient).ini	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\~GLH0030.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH001d.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jceng.ini	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\~GLH003b.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\getflash.dll	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\sounds\~GLH0033.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\sounds\~GLH0035.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\flashget.chm	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\sounds\~GLH0032.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\~GLH0044.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH0010.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH0014.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\~GLH0043.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jchun.ini	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH001c.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH001e.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jcchs.ini	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\flashget.exe.manifest	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\jc_link.htm	fgf173.exe
File opened for modification	C:\PROGRA~2\FlashGet\INSTALL.LOG	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH0017.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\~GLH003f.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\~GLH0041.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH000d.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jcdeu.ini	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\Skin\~GLH0028.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\~GLH0046.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\~GLH0004.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jcheb.ini	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH0021.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\~GLH0038.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\mymirror.lst	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH0005.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jcsvk.ini	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH0013.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jcesp.ini	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jcbul.ini	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\Skin\~GLH002d.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\~GLH003a.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\~GLH0003.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\UNWISE.EXE	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH000c.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\language\jcita.ini	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\Skin\TestBk.jpg	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH000a.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH0015.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\language\~GLH0024.TMP	fgf173.exe
File created	C:\Program Files (x86)\FlashGet\Skin\~GLH002e.TMP	fgf173.exe
File opened for modification	C:\Program Files (x86)\FlashGet\Jccatch.dll	fgf173.exe

Drops file in Windows directory 1 IoCs

Processes:

fgf173.exe

description ioc process

File created C:\Windows\~GLH0000.TMP fgf173.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\~GLH0000.TMP	fgf173.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

Processes:

flashget.exeiexplore.exeGLJ1851.tmpIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}\MenuStatusBar = "FlashGet"	flashget.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MenuExt\Download using FlashGet	flashget.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MenuExt\Download using FlashGet\ = "C:\\PROGRA~2\\FlashGet\\jc_link.htm"	flashget.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}\Exec = "C:\\PROGRA~2\\FlashGet\\flashget.exe"	flashget.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}\Default Visible = "Yes"	flashget.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}\Icon = "C:\\PROGRA~2\\FlashGet\\flashget.exe,223"	flashget.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MenuExt\Download All by FlashGet\contexts = "243"	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}\HotIcon = "C:\\PROGRA~2\\FlashGet\\flashget.exe,128"	flashget.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MenuExt\Download All by FlashGet	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}\ButtonText = "FlashGet"	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}"	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}\MenuText = "&FlashGet"	flashget.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{00F617FB-C98F-11EB-A11C-CEFF684A7CF6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MenuExt	flashget.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MenuExt\Download All by FlashGet\ = "C:\\PROGRA~2\\FlashGet\\jc_all.htm"	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{E0E899AB-F487-11D5-8D29-0050BA6940E3} = "FlashGet Bar"	GLJ1851.tmp
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\MenuExt\Download using FlashGet\contexts = "34"	flashget.exe

Modifies registry class 64 IoCs

Processes:

GLJ1851.tmpGLJ1851.tmpflashget.exeGLJ1851.tmp

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0E899AA-F487-11D5-8D29-0050BA6940E3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5DA722-162B-11D3-8B9B-AA70B4B0B524}\VersionIndependentProgID\ = "JetCar.IeCatch"	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jccatch.IeCatch2\CLSID\ = "{A5366673-E8CA-11D3-9CD9-0090271D075B}"	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FB5DA723-162B-11D3-8B9B-AA70B4B0B524}\ProxyStubClsid32	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JetCar.IeCatch.1\CLSID\ = "{FB5DA722-162B-11D3-8B9B-AA70B4B0B524}"	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jccatch.IeCatch2.1\ = "IeCatch2 Class"	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0E8999E-F487-11D5-8D29-0050BA6940E3}\1.0\FLAGS\ = "0"	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JetCar.Netscape\CLSID\ = "{FB5DA724-162B-11D3-8B9B-AA70B4B0B524}"	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16136F72-5845-4CD4-825E-56C3BF44B598}\1.0\0\win32	GLJ1851.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\Programmable	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JetCar.Netscape.1\CLSID\ = "{FB5DA724-162B-11D3-8B9B-AA70B4B0B524}"	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE21DEF8-7C35-46EC-A705-446DB76F09E9}\ProxyStubClsid32	GLJ1851.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5DA722-162B-11D3-8B9B-AA70B4B0B524}\TypeLib	flashget.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5366673-E8CA-11D3-9CD9-0090271D075B}	flashget.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5366673-E8CA-11D3-9CD9-0090271D075B}\ProgID	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Getflash.gFlash.1	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5F8699D-7E1B-4FD8-96A1-4EA660FE15DE}\InprocServer32	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16136F72-5845-4CD4-825E-56C3BF44B598}\1.0	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE21DEF8-7C35-46EC-A705-446DB76F09E9}\TypeLib\Version = "1.0"	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jccatch.IeCatch5\CLSID\ = "{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}"	flashget.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashGet.Document\shell\open	flashget.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5DA724-162B-11D3-8B9B-AA70B4B0B524}	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0E899AB-F487-11D5-8D29-0050BA6940E3}\VersionIndependentProgID	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0E8999E-F487-11D5-8D29-0050BA6940E3}\1.0\HELPDIR\ = "C:\\PROGRA~2\\FlashGet\\"	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5DA722-162B-11D3-8B9B-AA70B4B0B524}\VersionIndependentProgID	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5DA722-162B-11D3-8B9B-AA70B4B0B524}\Programmable	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05366672-E8CA-11D3-9CD9-0090271D075B}\ProxyStubClsid32	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91C8867-A70D-4328-BD96-CEAE7C78D31B}\TypeLib	GLJ1851.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5366673-E8CA-11D3-9CD9-0090271D075B}\ProgID	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Fgiebar.FgInfoBand\CLSID\ = "{E0E899AB-F487-11D5-8D29-0050BA6940E3}"	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jccatch.IeCatch5\CurVer\ = "Jccatch.IeCatch5.1"	flashget.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5366673-E8CA-11D3-9CD9-0090271D075B}\InprocServer32\ = "C:\\PROGRA~2\\FlashGet\\jccatch.dll"	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5F8699D-7E1B-4FD8-96A1-4EA660FE15DE}\InprocServer32\ = "C:\\PROGRA~2\\FlashGet\\getflash.dll"	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE21DEF8-7C35-46EC-A705-446DB76F09E9}\TypeLib\ = "{16136F72-5845-4CD4-825E-56C3BF44B598}"	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A5366673-E8CA-11D3-9CD9-0090271D075B}\InprocServer32	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Getflash.gFlash.1\CLSID\ = "{F156768E-81EF-470C-9057-481BA8380DBA}"	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JetCar.Netscape\CLSID	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jccatch.IeCatch2\CurVer	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F156768E-81EF-470C-9057-481BA8380DBA}\TypeLib\ = "{16136F72-5845-4CD4-825E-56C3BF44B598}"	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashGet.Document\shell	flashget.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JetCar.IeCatch\CLSID	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E5F8699D-7E1B-4FD8-96A1-4EA660FE15DE}\ProgID	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A91C8867-A70D-4328-BD96-CEAE7C78D31B}\TypeLib\ = "{16136F72-5845-4CD4-825E-56C3BF44B598}"	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE21DEF8-7C35-46EC-A705-446DB76F09E9}\TypeLib\Version = "1.0"	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E0E899AB-F487-11D5-8D29-0050BA6940E3}	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jccatch.IeCatch2.1	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\InprocServer32\ = "C:\\PROGRA~2\\FlashGet\\Jccatch.dll"	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\TypeLib	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{16136F72-5845-4CD4-825E-56C3BF44B598}\1.0\HELPDIR	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE21DEF8-7C35-46EC-A705-446DB76F09E9}\TypeLib	GLJ1851.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}\TypeLib	flashget.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JetCar.Netscape\CurVer	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A91C8867-A70D-4328-BD96-CEAE7C78D31B}\ProxyStubClsid32	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DE21DEF8-7C35-46EC-A705-446DB76F09E9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JetCar.IeCatch\ = "IeCatch Class"	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5DA722-162B-11D3-8B9B-AA70B4B0B524}\InprocServer32\ThreadingModel = "Apartment"	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JetCar.IeCatch\CurVer\ = "JetCar.IeCatch.1"	GLJ1851.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05366672-E8CA-11D3-9CD9-0090271D075B}\ = "IIeCatch2"	GLJ1851.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05366672-E8CA-11D3-9CD9-0090271D075B}\TypeLib\Version = "1.0"	GLJ1851.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5DA724-162B-11D3-8B9B-AA70B4B0B524}\Programmable	flashget.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E0E899AA-F487-11D5-8D29-0050BA6940E3}\ = "IFgInfoBand"	GLJ1851.tmp
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FB5DA724-162B-11D3-8B9B-AA70B4B0B524}\InprocServer32	flashget.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

3480 iexplore.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

flashget.exeiexplore.exeIEXPLORE.EXE

pid process

1272 flashget.exe
3480 iexplore.exe
3480 iexplore.exe
3648 IEXPLORE.EXE
3648 IEXPLORE.EXE

pid	process
3480	iexplore.exe

pid	process
1272	flashget.exe
3480	iexplore.exe
3480	iexplore.exe
3648	IEXPLORE.EXE
3648	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

fgf173.exeflashget.exeiexplore.exe

description	pid	process	target process
PID 780 wrote to memory of 4056	780	fgf173.exe	GLJ1851.tmp
PID 780 wrote to memory of 4056	780	fgf173.exe	GLJ1851.tmp
PID 780 wrote to memory of 4056	780	fgf173.exe	GLJ1851.tmp
PID 780 wrote to memory of 3944	780	fgf173.exe	GLJ1851.tmp
PID 780 wrote to memory of 3944	780	fgf173.exe	GLJ1851.tmp
PID 780 wrote to memory of 3944	780	fgf173.exe	GLJ1851.tmp
PID 780 wrote to memory of 2084	780	fgf173.exe	GLJ1851.tmp
PID 780 wrote to memory of 2084	780	fgf173.exe	GLJ1851.tmp
PID 780 wrote to memory of 2084	780	fgf173.exe	GLJ1851.tmp
PID 780 wrote to memory of 1272	780	fgf173.exe	flashget.exe
PID 780 wrote to memory of 1272	780	fgf173.exe	flashget.exe
PID 780 wrote to memory of 1272	780	fgf173.exe	flashget.exe
PID 780 wrote to memory of 1272	780	fgf173.exe	flashget.exe
PID 780 wrote to memory of 1272	780	fgf173.exe	flashget.exe
PID 1272 wrote to memory of 3480	1272	flashget.exe	iexplore.exe
PID 1272 wrote to memory of 3480	1272	flashget.exe	iexplore.exe
PID 3480 wrote to memory of 3648	3480	iexplore.exe	IEXPLORE.EXE
PID 3480 wrote to memory of 3648	3480	iexplore.exe	IEXPLORE.EXE
PID 3480 wrote to memory of 3648	3480	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\fgf173.exe
"C:\Users\Admin\AppData\Local\Temp\fgf173.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:780

C:\Users\Admin\AppData\Local\Temp\GLJ1851.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ1851.tmp" C:\PROGRA~2\FlashGet\fgiebar.dll
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
PID:4056

C:\Users\Admin\AppData\Local\Temp\GLJ1851.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ1851.tmp" C:\PROGRA~2\FlashGet\Jccatch.dll
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3944

C:\Users\Admin\AppData\Local\Temp\GLJ1851.tmp
"C:\Users\Admin\AppData\Local\Temp\GLJ1851.tmp" C:\PROGRA~2\FlashGet\getflash.dll
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2084

C:\PROGRA~2\FlashGet\flashget.exe
"C:\PROGRA~2\FlashGet\flashget.exe" /install "http://count.flashget.com/count?status=0&ver=1.73.128&lng=en"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://count.flashget.com/count?status=0&ver=1.73.128&lng=en
3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3480

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3480 CREDAT:82945 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3648

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\FlashGet\Jccatch.dll
MD5
8ab453e6168a5fedfddf44bc13f42e70

SHA1
6895825134103ba0b29bf162d8ae75025d9c943b

SHA256
649afd34ec09dba3775c6f1180acf2a90b9f578eb7b465cc8dbbace322194d97

SHA512
58a5f33b6ea27bc00884494bee119102e5f0f66d2e2b98d060313bb375cb5d72550f8002e9b786a0537ae0714f435e9b78fdd27cb2a394ae6bca81c934c81d0d

Download Submit
C:\PROGRA~2\FlashGet\fgiebar.dll
MD5
8fa3b8b4ecffde790da2173210c80a85

SHA1
7da2f629abedffa29cf90bd01f0004c7a91ac88b

SHA256
cbe2dec76512d17ef9ba5e2a26985d8daf6b62f69610de7c6824883269c433bf

SHA512
b09f7d147cd15f61bafe05badfc01bee855b67404a845b9d5d016a5ad1d88b71fea0890c043e1db781883ec34f5b80c5defa354ebf39b2051b245909e64cf9c1

Download Submit
C:\PROGRA~2\FlashGet\flashget.exe
MD5
680f41ec4f9c8c3b2a23791c004dbb33

SHA1
e468ec7933f6b535a3018fd93fed7212237b5790

SHA256
f066567504eb88e7e5c365ce252a8e946096c5dfbb958c671d823697fb504618

SHA512
88cfdc5db693172fb10bb9a6aa85958fc613939225a014b545f6bdc855e953bce2e0ce0f37d90cbdffc3a641a96b24b17fed827ac37b8536f19df0cf5b301c08

Download Submit
C:\PROGRA~2\FlashGet\flashget.exe
MD5
680f41ec4f9c8c3b2a23791c004dbb33

SHA1
e468ec7933f6b535a3018fd93fed7212237b5790

SHA256
f066567504eb88e7e5c365ce252a8e946096c5dfbb958c671d823697fb504618

SHA512
88cfdc5db693172fb10bb9a6aa85958fc613939225a014b545f6bdc855e953bce2e0ce0f37d90cbdffc3a641a96b24b17fed827ac37b8536f19df0cf5b301c08

Download Submit
C:\PROGRA~2\FlashGet\getflash.dll
MD5
c281625e4775f8ad88448c50afeb4561

SHA1
de3a5c69257a781ce06cc8cd2078f0fb4228358b

SHA256
9b6ae3b9419f82eb7eac02a0f7e25a5ac29e96ce64436338ff27b136a916d273

SHA512
e491d27e1827a1758726eca687b847f3e5818ffa96346e22955692cbfebecf97180c84d33b03d4ab09886cce09e289e79c0aa27de5832c67219cbedf56cbd3c8

Download Submit
C:\PROGRA~2\FlashGet\language\jcbul.ini
MD5
b5b068dbfecc31f7ff5d37e0dd78d465

SHA1
147fdeafe371ecc2dc7f2f9fac092787cdbc0003

SHA256
3f2c51e569135571b7c3c1a7305eed4c8c53f8d9872964277145a3987a948afa

SHA512
539dcec001d45d6249deb6af74f0e271f716d70d7d167784d59882658f06113a09e43e987c0fa5c368356707a770f9e494cb99aec07937f6569b1f19477143db

Download Submit
C:\PROGRA~2\FlashGet\language\jccat.ini
MD5
aefe6839d312195b28b419e12760cfe1

SHA1
6fa81d2cab7d6a242e5d35184a25803aeaec8bf5

SHA256
f3116101f06fe7ef86e4d05ab100d7a0075f3a616e5585e95beafb67f3912448

SHA512
432b943282ae9acb0ab7d0f2c3cab59f5e5e27223324ca5d32e9efd71bc8765b1de1a3c76f68ba36caec3d7cb7b4eb5dbb61a760d7a66947f7d210ad59f95679

Download Submit
C:\PROGRA~2\FlashGet\language\jcchs.ini
MD5
be28664d7387b2b8d8c97da012e1fa9c

SHA1
ac00ae3ddc9c4693d4931ab65625b786a988b1f1

SHA256
40474b569488fdd084fbac736575dac1beba5793f6c0836b18abef7ee85561bc

SHA512
09ce863f0f9064a5b58a46097ce78012fe169fa56fa3a57c07b1c27bf41cdc76396bf6613e635eefd9bef6be606ebc19b9a26c3f4b62c77296010c3e7ced0f23

Download Submit
C:\PROGRA~2\FlashGet\language\jccht.ini
MD5
243ceba4030c990b9b71bbf362a9a3ac

SHA1
b30b27956a4b59f4770aba01a211a13ddb9e918e

SHA256
988ec8c2ad8534de034da69adffe66df271b1d50f56d063061a2d4f2e419c173

SHA512
51f31ffa5633b55e54cf39a1fdc457b72e2c4bc60a8085e169a7e98a56c5ba515d9c8240c3118e28b5d4b66579ae466856c4e355045456612751d5dd8bbfb719

Download Submit
C:\PROGRA~2\FlashGet\language\jccze.ini
MD5
c17b1cf0b458a0a9a1cced0e52a73b57

SHA1
08c8169582a523d9ee671a1ef4e36928129e0d51

SHA256
d52da9ea863099be055865fbeb27d1b0bd72415369e312d3b3cc5d9b5a5333dc

SHA512
803b6e4d229e1931f981ae148fd423c97494db9111a68c1839de74221777c8a462e584628d7b261ced9e6f5da181b378ec0120e37c74056762e2e0cc3d14ff9f

Download Submit
C:\PROGRA~2\FlashGet\language\jcdax.ini
MD5
6122713779dd36277f71d9fb369bd97e

SHA1
3595fb3bebfd8f29ca1251fb6c4acce76afb6c95

SHA256
44732ef20586908fbefd50c32b33148cd711d58ec970ed01fbdb18a7762a880c

SHA512
3d6ce334759f9cd6e1861c91d136f4d221de8f8f2e2059a1b5d46164697f533ab5a441ffc61948f9e578f760e238098e64935f6e500e96a8e40cab02c4fdc782

Download Submit
C:\PROGRA~2\FlashGet\language\jcdeu.ini
MD5
9e64992c6cef2271e3b5890d6fd8c7b2

SHA1
4c4b819e446a578ba4d8c7d233f199890ebac637

SHA256
58bd4a89da0cb674d6fceb968c4896b651d2cf3630b3ba2bd85aa5a9f2cf086a

SHA512
b0c1acf15adcb131734f2a171afbed120d6ba7e0c76baa1409dc0f99575155c9226bdc70b3786b5f761cf8c25d5bca0560073466103154a3a49890749ad61ad8

Download Submit
C:\PROGRA~2\FlashGet\language\jcell.ini
MD5
02f0f306433ed3b198722e48930ee847

SHA1
212d681d8566d468d3c04f6edf48294c0a9defdc

SHA256
0b475b62fc0099cecd1a569373931da3835a6e4885c344e09b7a52dbd55764f1

SHA512
db15afcb0ac9b31eb9ca94771c696f4decee07f4abd3c48dbbc73a47bac5425cc70f79150ffe26bb0c6b04c90cbb7a5ddd896245b269772265fcc4293b213b7b

Download Submit
C:\PROGRA~2\FlashGet\language\jcesp.ini
MD5
a1130786aba13f7781d8430bb4409280

SHA1
b4d819201b6d1c88214ca7807314cbb03bd81704

SHA256
312d3ebdf9699bd39a1f3932c2a766e22424a948d551b3b5ca5c2ae97be764f1

SHA512
7cd9608e703fb2c4f06badea5cb1e13bb83c28ca062b03f2f3b4a6795173f2dcfceb9bf5194a40596ea3a5a0947b8ddff3c771cc13a700ecbec36ba753d17ad5

Download Submit
C:\PROGRA~2\FlashGet\language\jcfin.ini
MD5
6ca537e69c8851babe7de603f5936ccd

SHA1
7f39e25408434b5099499f81de086192cb80c87f

SHA256
80733c5ded1fec08e809876529b80805d0aa6287e407e2b737143cfc2998414c

SHA512
ec504b006764111013eb356940930d4bb04b0ce50731c0321066b0e347ddd9ae61bec24f6162df4f5dc9a823617411664df61c64fcaa66c9e4cbd2279508b8bc

Download Submit
C:\PROGRA~2\FlashGet\language\jcfra.ini
MD5
4e305f5d580599377c4dae175e8924d6

SHA1
6fdcc847d1d8ae88bbc192b5521189baf1ed8266

SHA256
f58e79faeed26939adadfed9772d17719873cfd45aab3f38e4126f1bc5e01a0e

SHA512
636cfd3287f2271383a90a616cecb66a0a1e2288a3a03105de83207b655ab6ee37d146b767b6419859b141878ce66490818f8cbf2caa3dd478d1009dc23d0334

Download Submit
C:\PROGRA~2\FlashGet\language\jcheb.ini
MD5
48ff7781c120aee89226ae98e352b472

SHA1
cbffa6f040a3a6462f82f7fc35c266efbcab88cd

SHA256
2e5b525d01a5b20426adf53cd1f394394abd1c77d22bfaa7928705f821c76cc0

SHA512
4bb7d506017c69463bb9ba736217ad12654526fdd68162340738394b794ded8e2324b22d5c284bd47dc23503e92a53562179e0a0e8afb60c5df87fe285bb2816

Download Submit
C:\PROGRA~2\FlashGet\language\jchun.ini
MD5
55aaa2e455b19c86235758c6f7d352c3

SHA1
d845bf44a8b56d67242fd4c9429bd47a77a1661e

SHA256
1f1698096b78b6d1e016e2e54a3ea26922d254ad745be9da3196b9be89a49986

SHA512
97689590f7bdc7ffd3e2c1bc162396571015c8ad0deffdc7f64fb29f1c6265ce36d4ae896cf9caee41df2f17527050d04040e5872dae769a481f79d13dcd2699

Download Submit
C:\PROGRA~2\FlashGet\language\jcita.ini
MD5
b050de7c48cdd31f6905b06398fe9453

SHA1
9a70319bee5ff1ba3d89814b9b4e8b5d154478b2

SHA256
4efb306634d68e3d7284c4b2b8ef78fe95e56bde8baae76b6d65708f8db64385

SHA512
67f6af577170a1d88d271c914e05d8e5da78294639e710ab2342f8e5c77002f1da7b197616c3829007be82a79c55cc3163d4516637b4dd50d45d72458c29782b

Download Submit
C:\PROGRA~2\FlashGet\language\jcjpn.ini
MD5
60a4fcf3cc068a971bf90156a17f855e

SHA1
5452a14bc702bf1c7dab1c9d94bee03893d6f445

SHA256
2419d1167b65336a8af1a3e35887762074a0c4b8919d9716544d1e994772d335

SHA512
1a1b4f9f5245e99c2834ff4f437bc9ceea8f21d2fa0e260128ccfbd2727d21c530539039d44b95171c8c07836e43f49727932d50e6f70ae88da03283d7caa2f1

Download Submit
C:\PROGRA~2\FlashGet\language\jckor.ini
MD5
30df184539250f021e4ddbb7ba22a427

SHA1
d5854e3388985daefeb24694115bbd231c49a6af

SHA256
fcf1d9a822cb19a43a4993a0d8798c11bb320891f5a8b22a12240b76dd9d7314

SHA512
3273aa59c98fdd6c81021e7428c71cebc909e2f720d5131532e3b004b4fa9cd9fb973dd5e957efa4e7bd914868649c9c533d34c992412bf3ce0ef1f82505260c

Download Submit
C:\PROGRA~2\FlashGet\language\jclat.ini
MD5
d7bc57496eb4b711f1dcfac6a83bde91

SHA1
b7cecaa2b6abd1a1344509a38c686b03e568e961

SHA256
e7703976576128dd1053a49a352d7fb7523b96d0456ea8f0fde9c91b0bc44e4c

SHA512
764ac29e2d0679b874be869d888ad12d052cacbe4996d5ce0e28f9bc83eabd65fe86ef09f65da2fc76f34895fed48d8c8f12fb83291cdfad8eacba85230a3d75

Download Submit
C:\PROGRA~2\FlashGet\language\jcltu.ini
MD5
7128bb98105750079d8e3d5bbcf8ebe5

SHA1
986c99592bb62b83dd633db549b44dd1f10cbd32

SHA256
a40e060152d9cd26882f0341ff81987d2f143743f084960245cbe04fd0869086

SHA512
caa0f6571709bf828266951a84f3f90582dca02598b9ccade2b10d16c7046674c5843a036c8cf5e65cd21d734904fbfa25eb936e4b39f7009518bf0f6829506f

Download Submit
C:\PROGRA~2\FlashGet\language\jcnld.ini
MD5
0b311736a6a27f48bfe80b5729e46dca

SHA1
7b14b5785920ccbeac9f35d45c1ddd06a256957d

SHA256
3e6d69ca1f68614b0b599dde91f735ff0ab1d72d0711164d4ee689b6d9f3afb9

SHA512
0754d0693a8236c7677e34da1f452602e0a50838a511ced47979186bf69585101dc962f9895c6cd4c74a37db1bbb77a6f5532d6f2fbc28584488f2a2f9e365bf

Download Submit
C:\PROGRA~2\FlashGet\language\jcnor.ini
MD5
7f5c73c24c897227d117956e9c82bcc6

SHA1
d7f571dac36cd8cff072f3da35a057109cd39e2a

SHA256
86175b659ecc03f3a284ff86d5231edd4a53900a21b3822e45827b01559f3f11

SHA512
9549a09730acdd413b27b00bd0c3fca23f9d93a692b08260f77215fa91ee4df9db3ed5e2850ebbaf619b8f850da364cc5aeaea555774b0fa3c16de2d980b9ce8

Download Submit
C:\PROGRA~2\FlashGet\language\jcpls.ini
MD5
fc707510cd3ef98bcc73115c89803b8a

SHA1
894f697dd160ee5df5f495bf4e320cd0956da9cc

SHA256
d9e5a59a34b4be5ff8164c9fdc4f2e5ecccc191f218789b05c83aa25515742d3

SHA512
0e2edb94542a77eb1dbf10b5ff9b33095b41df5342d75875bd84e0e23533a49ef982db25b08dfa7c34965cd92d86b51ed44c9a08f257fd78e30f554f90b7798b

Download Submit
C:\PROGRA~2\FlashGet\language\jcpob.ini
MD5
2d3909863bd9dc32947ca2b289d5e6c3

SHA1
cabcbcb693adbaaf42fb25fe6af99bbcf906c6cb

SHA256
ff676829ba191699a03f3f7f9f8b4aa3c45808376e9b1d30cc88549c4e239a42

SHA512
af50f9ea0afd856cfacbebd4547ce74b8ac95d11c9b6cd7d94d7ad021c0146f1630023144060a9e4b324681812a6d1e954aad97b1bc87a68ea5afdc8042bcc64

Download Submit
C:\PROGRA~2\FlashGet\language\jcptp.ini
MD5
91a282cf08ad20418573245e1897cd9a

SHA1
52f2cf9430d6da43be584f2067fbc6ba4c69b301

SHA256
e40d946750ab7440c30c545fd670e9f6da738e56fb5aeadebd49e97fd86b901b

SHA512
b85b1051b505fe4680d7b4c55847c77f42fde67d70f9ce9965f719afe55c251950c924574470e38296adf596850e6abd856e37645e3fdf1de68f4b36d38dd2e5

Download Submit
C:\PROGRA~2\FlashGet\language\jcrom.ini
MD5
e7435709d1d5473333901bcec0f074a2

SHA1
287cc527c51325fe6575f0a60e4ca3e5c9650010

SHA256
9531adc8e3c761c5f317a14e2548c4a33a70f26e37466249d46de9ca6d2d5f79

SHA512
262e302e84e9bcc28b730534deacf80784ecf305a2f50196fd1f4ab466b9e2a6dd0850cd7b8ed94a4ad447d86d559689c4b6552fea113b20e5db46c77625ef83

Download Submit
C:\PROGRA~2\FlashGet\language\jcrus.ini
MD5
4216d87b5ad019de0467d3f9402472b4

SHA1
daa0ed979b91f1c79d657bb4d305d2b8a72a64f0

SHA256
7cc8ba0d3b96a4312bdfc0934a048d3075e6c61ed02381edc3db11feb49e780d

SHA512
d1026706f4a8b9bab83580ab9a10539390d02ca222beb98c2ce3af1dc1a86cee958d9c40730bb1b9dcf89cc913af7c4c5536ffe33f524dc856cfb5ef1194b682

Download Submit
C:\PROGRA~2\FlashGet\language\jcslo.ini
MD5
e6fdc1b811398263deb95d0724fc7cb3

SHA1
126b58bb49e81b8173d9cad4c1af1c7e8314f62a

SHA256
1ba77b41904211c6c4d046be9ebcf5ed8d5b9ad9863f28620b7f547355d89ae2

SHA512
933a71392b2f1b2cb64387fdb13f85fe9de7859e29cef13ab23df417eb595bab4b719e67c0b20ccb9e141619873ee1cc2999237babdf24f41a92e5e8ed0f0f0f

Download Submit
C:\PROGRA~2\FlashGet\language\jcsrl.ini
MD5
d0f10331803c9939604c67c357890056

SHA1
9304e224c61fea265b5cb8d676ff69bf54535cd7

SHA256
d5c4c09b283546f7c34c3a867ba0f753ced5597e826a51eb79cacc701f854408

SHA512
657944c3fe5bfdcc88470328acc6e6af6ca7b023cb54f008fc8610760ac6103a8d4eef1501b7ede11eba7a67be92b2c9a0d2f479675d8c70feabd903b0db66f5

Download Submit
C:\PROGRA~2\FlashGet\language\jcsvk.ini
MD5
6e1350b77bef3f8aa44ba3d71a023321

SHA1
8a32379b2c3c7e3a61b5a0ababd218676a893aa3

SHA256
7223316aa2997e9c2e08fd482907b04677ab3cc3b654edb098c32b90cbb57456

SHA512
b21f565fa6965e0a49b030f5353cc31b3cdeb7908bde51b96fdb964a3aab452ce5d5030a1192063aaf4873ab297302a05a23a440a353e557a8418e0c0c39b3e5

Download Submit
C:\PROGRA~2\FlashGet\language\jcswe.ini
MD5
c0343fc3563c8ba50ffe497144a8ea68

SHA1
d1b4ca4d47979f3081be2d3d59afd3a995b0f75a

SHA256
e3b9cc62e5df82310f72d5e2633e46e07e06b1aa91cafc7e163fb21e319b81ad

SHA512
da71fd01e862cdb0329754063bb0b66da17660d2408e5b7ad9008bf806e51a65724e21fd13e029ca6826ee2bb9474c7f6da5ff276661cd51a20c007ecf331fe8

Download Submit
C:\PROGRA~2\FlashGet\language\jcthi.ini
MD5
fd8b2ef078a7c6772547741da7be4779

SHA1
4780d86bd54c173d9a0baaee426ecd06c715c28e

SHA256
317ff067caeda89d7767c70bf51cf9cf0ae80476850b192fc943b70fe9360322

SHA512
c6ae8604ee266a3d76450e89ba1bc5a0c0e0e29c00cd80e2432eb95704d97bf88c5860370fe3a0b33d759d7e78a5a86b3c6971c83ddddf0b1edab8bf5f3ff7de

Download Submit
C:\PROGRA~2\FlashGet\language\jctur.ini
MD5
0949be5180cfbac98cfb105703f6b236

SHA1
9e25f4f8d59ddba5fe8bab1ab78446a090b7d117

SHA256
c4cfa56950c6fe12d418c386c940bcac3e81ad5e02e1a13fce12525ef083cad2

SHA512
9c35a67cf86c4b829442f6da652e67f35f6931eb5290108abce3843d3106dec431d9a53a57bbe4f5b530fc06b6864aa8a0823b2abec7b38ad680a17483b2dc8f

Download Submit
C:\PROGRA~2\FlashGet\language\jcukr.ini
MD5
e305d4596c6e2a48029850db821c4cf6

SHA1
58b61206d74a57093f84187d61c13876d6ff196a

SHA256
17aac4d452986c6abfd3ec3e6f9e1388b9b87f88fc471cd749e7dcecc1d9bb68

SHA512
aa1978bbb11ac02d70f3fcbc7b6d3a8442691bafe24a568be90e9e4bbca50c0d4fc098dac7760973e1ad76055d2cbbc110a7f08b31c4313848ad7a122bb63ee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ1851.tmp
MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ1851.tmp
MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ1851.tmp
MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLJ1851.tmp
MD5
6f608d264503796bebd7cd66b687be92

SHA1
bb82145e86516859dae6d4b3bffb08c727b13c65

SHA256
49833d2820afb1d7409dfbd916480f2cdf5787d2e2d94166725beb9064922d5d

SHA512
c14b7ec747357c232f9d958b44760e3a018df628291e87de52b8174ccc4ada546eba90a0e70172d1db54feca01b40cd3aeaa61b8a2b6f22d414baad1f62e8e54

Download Submit
\PROGRA~2\FlashGet\Jccatch.dll
MD5
8ab453e6168a5fedfddf44bc13f42e70

SHA1
6895825134103ba0b29bf162d8ae75025d9c943b

SHA256
649afd34ec09dba3775c6f1180acf2a90b9f578eb7b465cc8dbbace322194d97

SHA512
58a5f33b6ea27bc00884494bee119102e5f0f66d2e2b98d060313bb375cb5d72550f8002e9b786a0537ae0714f435e9b78fdd27cb2a394ae6bca81c934c81d0d

Download Submit
\PROGRA~2\FlashGet\Jccatch.dll
MD5
8ab453e6168a5fedfddf44bc13f42e70

SHA1
6895825134103ba0b29bf162d8ae75025d9c943b

SHA256
649afd34ec09dba3775c6f1180acf2a90b9f578eb7b465cc8dbbace322194d97

SHA512
58a5f33b6ea27bc00884494bee119102e5f0f66d2e2b98d060313bb375cb5d72550f8002e9b786a0537ae0714f435e9b78fdd27cb2a394ae6bca81c934c81d0d

Download Submit
\PROGRA~2\FlashGet\fgiebar.dll
MD5
8fa3b8b4ecffde790da2173210c80a85

SHA1
7da2f629abedffa29cf90bd01f0004c7a91ac88b

SHA256
cbe2dec76512d17ef9ba5e2a26985d8daf6b62f69610de7c6824883269c433bf

SHA512
b09f7d147cd15f61bafe05badfc01bee855b67404a845b9d5d016a5ad1d88b71fea0890c043e1db781883ec34f5b80c5defa354ebf39b2051b245909e64cf9c1

Download Submit
\PROGRA~2\FlashGet\getflash.dll
MD5
c281625e4775f8ad88448c50afeb4561

SHA1
de3a5c69257a781ce06cc8cd2078f0fb4228358b

SHA256
9b6ae3b9419f82eb7eac02a0f7e25a5ac29e96ce64436338ff27b136a916d273

SHA512
e491d27e1827a1758726eca687b847f3e5818ffa96346e22955692cbfebecf97180c84d33b03d4ab09886cce09e289e79c0aa27de5832c67219cbedf56cbd3c8

Download Submit
\Program Files (x86)\FlashGet\gtapi.dll
MD5
320f2c2259f9192959f4bcac7c219bce

SHA1
66d7dc2b6066e516df5f795c9d222bfe2bea450f

SHA256
95b5db98fedee5b5f58f57d6b653e08b53014a321fbc128c11714deeb3eb6a5e

SHA512
f118ab332afb241a49efb4542209599158f590d0ab21c08be3ecba8be67d867b65151e066165bffef3cf5a429cb938ebb40662a9e0ab3325c7a56d0f9b51fd24

Download Submit
\Program Files (x86)\FlashGet\gtapi.dll
MD5
320f2c2259f9192959f4bcac7c219bce

SHA1
66d7dc2b6066e516df5f795c9d222bfe2bea450f

SHA256
95b5db98fedee5b5f58f57d6b653e08b53014a321fbc128c11714deeb3eb6a5e

SHA512
f118ab332afb241a49efb4542209599158f590d0ab21c08be3ecba8be67d867b65151e066165bffef3cf5a429cb938ebb40662a9e0ab3325c7a56d0f9b51fd24

Download Submit
\Users\Admin\AppData\Local\Temp\GLC1802.tmp
MD5
c9b68c644e8f0467205cef4518d0f969

SHA1
0338be23971b16940a17306a911fc1e9cd187b0b

SHA256
bb487118b0a800604e143d8e3424e2ad35eca9c687669fa5b1610c9ba5f50a31

SHA512
84b5aea631b7d3ce5832d84a0e13ef149192a6d690d4c6d292608fc3eb59e55c1411fd601684dd742c830d5299b815b70cbd28de446dbf29832f163879fdc935

Download Submit
\Users\Admin\AppData\Local\Temp\GLF23DE.tmp
MD5
ee137aa648f5a30f5522a48c176bf13c

SHA1
965505b48beaacbc4cdc6ef3442ec3a9bb1f1835

SHA256
3e0c4e282a232b65f22911a4ab25c7b8f84660dc52a2a2bc4f1a90892ad02472

SHA512
09b8af458cb8d4de05ec60de699b2daf55444235892b29a2096a6e632399003d2c0596f38b1b6be0df545c7e39c7709797d7a9ac3901177a0be3d5e7d74dd7ba

Download Submit
\Users\Admin\AppData\Local\Temp\GLF23DE.tmp
MD5
ee137aa648f5a30f5522a48c176bf13c

SHA1
965505b48beaacbc4cdc6ef3442ec3a9bb1f1835

SHA256
3e0c4e282a232b65f22911a4ab25c7b8f84660dc52a2a2bc4f1a90892ad02472

SHA512
09b8af458cb8d4de05ec60de699b2daf55444235892b29a2096a6e632399003d2c0596f38b1b6be0df545c7e39c7709797d7a9ac3901177a0be3d5e7d74dd7ba

Download Submit
\Users\Admin\AppData\Local\Temp\GLK1A46.tmp
MD5
80af8dd09484fd57ee8c1b6c5c6267bd

SHA1
cd84fb24b823cf113e53a6b31b6cec6aea01745f

SHA256
1d079cf4785ee638ba466ecccd6776d327bc3abbfbc07ce04aecbcba1406f3f3

SHA512
8c160949b28115ec951084729280e6d7976df4ab96b6057b37bbe981518742c4b45474c8219743d9338ebf080fecc33779f13c899be9495f46dde37979fe3bb6

Download Submit
\Users\Admin\AppData\Local\Temp\GLK1A46.tmp
MD5
80af8dd09484fd57ee8c1b6c5c6267bd

SHA1
cd84fb24b823cf113e53a6b31b6cec6aea01745f

SHA256
1d079cf4785ee638ba466ecccd6776d327bc3abbfbc07ce04aecbcba1406f3f3

SHA512
8c160949b28115ec951084729280e6d7976df4ab96b6057b37bbe981518742c4b45474c8219743d9338ebf080fecc33779f13c899be9495f46dde37979fe3bb6

Download Submit
memory/780-117-0x00000000005D1000-0x00000000005D3000-memory.dmp

Filesize
8KB

Download
memory/1272-136-0x0000000000000000-mapping.dmp

Download
memory/2084-132-0x0000000000000000-mapping.dmp

Download
memory/3480-172-0x0000000000000000-mapping.dmp

Download
memory/3480-173-0x00007FFB7FA40000-0x00007FFB7FAAB000-memory.dmp

Filesize
428KB

Download
memory/3648-174-0x0000000000000000-mapping.dmp

Download
memory/3944-128-0x0000000000000000-mapping.dmp

Download
memory/4056-123-0x0000000000000000-mapping.dmp

Download