96bff9e01f50adbe3195bcc822abc1b57e43899aba8985d9d0b9775a9218c286

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3895bf759a11983313477512aea207f3_JaffaCakes118.exe
Size

682KB
MD5

3895bf759a11983313477512aea207f3
SHA1

0cbf3387852761f23b18d1d77b8c3940a747cc10
SHA256

96bff9e01f50adbe3195bcc822abc1b57e43899aba8985d9d0b9775a9218c286
SHA512

caa9f6e6268110fb02c67f4731528c1d2940c691213a627501d57257c7f677cb0c24e55b5fdcd4bdc5efda1081d2894f9273a97b9df567c408244277736f3e8d
SSDEEP

12288:a/4Blu6QwPq4s11rMrYV2zpoF3Z4mxx2DqVTVOCsH:Q42Wy7VMrS2zpoQmXVVTzsH

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2524	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2648	sys.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C1484B81-3F68-11EF-9297-6205450442D7}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C1484B81-3F68-11EF-9297-6205450442D7}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C1484B8C-3F68-11EF-9297-6205450442D7}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C1484B83-3F68-11EF-9297-6205450442D7}.dat	IEXPLORE.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\sys.exe	3895bf759a11983313477512aea207f3_JaffaCakes118.exe
File opened for modification	C:\Windows\sys.exe	3895bf759a11983313477512aea207f3_JaffaCakes118.exe
File created	C:\Windows\sys.DLL	sys.exe
File opened for modification	C:\Windows\sys.DLL	sys.exe
File created	C:\Windows\uninstal.bat	3895bf759a11983313477512aea207f3_JaffaCakes118.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	sys.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807070004000b00090022001800b100	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-bd-0f-ab-6b-5b\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\OperationalData = "4"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C1484B81-3F68-11EF-9297-6205450442D7} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 40ac1e8475d3da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Connection Wizard\Completed = 01000000	sys.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\F12	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807070004000b00090022001800c100	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807070004000b00090022001b00870100000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005dd77e3c8c27d14b91d373d4eaab90ec00000000020000000000106600000001000020000000cd476e828c71963f260873484bf732871cd5b48b55dad865e5f935fd75afe884000000000e80000000020000200000005b3c8f2e007607791c0e1056f00674439d5df910ffbd50726a0330ab303bee891000000021335610a544b5db5b610766712509da40000000ead6e2c5f423216561eb69e5ba636e53254b98272718edab6b1606c7853e4996312a46274d024ade8f08adb91afc70642571dfb7dd9823edf2f026d179d68d11	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Connection Wizard	sys.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2656	IEXPLORE.EXE
2656	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE
2676	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2656	2648	sys.exe	31
PID 2648 wrote to memory of 2656	2648	sys.exe	31
PID 2648 wrote to memory of 2656	2648	sys.exe	31
PID 2648 wrote to memory of 2656	2648	sys.exe	31
PID 2656 wrote to memory of 2604	2656	IEXPLORE.EXE	32
PID 2656 wrote to memory of 2604	2656	IEXPLORE.EXE	32
PID 2656 wrote to memory of 2604	2656	IEXPLORE.EXE	32
PID 1724 wrote to memory of 2524	1724	3895bf759a11983313477512aea207f3_JaffaCakes118.exe	33
PID 1724 wrote to memory of 2524	1724	3895bf759a11983313477512aea207f3_JaffaCakes118.exe	33
PID 1724 wrote to memory of 2524	1724	3895bf759a11983313477512aea207f3_JaffaCakes118.exe	33
PID 1724 wrote to memory of 2524	1724	3895bf759a11983313477512aea207f3_JaffaCakes118.exe	33
PID 1724 wrote to memory of 2524	1724	3895bf759a11983313477512aea207f3_JaffaCakes118.exe	33
PID 1724 wrote to memory of 2524	1724	3895bf759a11983313477512aea207f3_JaffaCakes118.exe	33
PID 1724 wrote to memory of 2524	1724	3895bf759a11983313477512aea207f3_JaffaCakes118.exe	33
PID 2656 wrote to memory of 2676	2656	IEXPLORE.EXE	35
PID 2656 wrote to memory of 2676	2656	IEXPLORE.EXE	35
PID 2656 wrote to memory of 2676	2656	IEXPLORE.EXE	35
PID 2656 wrote to memory of 2676	2656	IEXPLORE.EXE	35
PID 2648 wrote to memory of 2656	2648	sys.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3895bf759a11983313477512aea207f3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3895bf759a11983313477512aea207f3_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  PID:2524

C:\Windows\sys.exe
C:\Windows\sys.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2604
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
31bb1150d135ae792d4a070b11ed613d

SHA1
20e8e1c1429bc0f987c452d771e812968de454f2

SHA256
4438a3476cf3b4ee98847c6b7312e0091316129d13a1acccf78be19454725413

SHA512
39460fc81cf8647c9dd67e64eb6e509dbac1218527e62d3f29e72303e2ba96af6d826aa622835008cd3e96a1b9c584317267ca1a4183ba47490b0ef20e5f7e46

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c199dcd7bfd236b661097347fa1fe59

SHA1
1c3fcfa55ea2f57e42ca824c971084c8673e5dda

SHA256
35bb2375eabd6937ee00e11e9c665b5ea69bf2b76d905d84300160bd50213b83

SHA512
570bf11f17ebc2ec04d819a4d32ec02c9ae86c887410cfb419932f1b8b97d7fed799e62dd27b01de614e469bf92540535c2e354048a85778f2b614d562dfd810

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5affd54a84cdc0e81139bbaa2b6a6102

SHA1
1cf0e573c91d1e5176497a42043ec7a42a4e9ad2

SHA256
659c5985260102d85c3dd09ea1d0b6abf6b4313d928abc61b950d041d8ce1531

SHA512
645c8749069e72557e8aec46dd5461fdec74e052604461ccaa556ba3dd7b9cd4916545048b66e474069e3dc688ff316836bc08c022f0721790996f2945495feb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28cdaf5b8c4358beea61d0b191b879d1

SHA1
c86b279b4ab5eb8914066a64e100258ee3767435

SHA256
607128518c8b5a01ada9fbea6f7580966163f72cbe673b9788a7130b174150e9

SHA512
7542bd1c8baae027c7fe56fa89603ffc17c2684b60ddc177acb53db5b00edc735b9ca9f6ef9079716bdc73310e0eee41151e1a1679f856b8646ca7a27fba8255

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f2631d82a823ab6e5e81b74f7526edb

SHA1
ef44d09a9a85c5b2684da3ec51eeecaaf14a7de6

SHA256
cf47905edd84cc4cdf2e38a4ce2ad5b4c277d34d67df9a76ef54486805238c9b

SHA512
48a792e709b9c42d3e504c043b7bf1c1224ad285b9a8937c5df479eaf7d7a078d4a65c1c140417464b5b8422c0980842d1c7365686d0af991fc0376a33262b9c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c92ec0de967cf31ed269f8b1efeaa6d

SHA1
fde51364a099d4bc01dbdd6c9cf34e63e92d2ffb

SHA256
17b50d02b53ffea64a859c0f26b00ff68e6a51dca8809aac22aa55e58ec21dc1

SHA512
13f45dcd19123143807e044f9187943989644d9a64151b9274c4a3ba2abcea02f6a72f1076a98305f59b59f47065a9a1b449ceb17bb82aef31464430c15049a4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b44a1c9ca84228eaeeebb0b03a8b111

SHA1
4b3dda2aabb7c0526d665ea4ed57e84add0f2214

SHA256
62ab6bbf63ba0c1fd36605bc279596f48a37e174e6bf1d7de2a16ef1c449ae0a

SHA512
c6404495d472a37a4a5a43fd4e9a4f7ff1c504013f80258f9831dbbb5e3c8601b9462b9d79a56e3ba31b2e6a0a8f853cbb55b9a9f8cfe528309ce5df2202b01b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
851cdeb33a784256e95c89c7b5021861

SHA1
84b8815e7b4955ceebfa03bc6f0ad50eb4966aeb

SHA256
c9db2252da8f3bb18232f8183c87aeeb2ba3c3d1ee285eb175de9d106b539ba1

SHA512
9ba74482487b44b8168e1824e1e6950d7d368690cd89b5fc5c35e7ed15f449a97ebd494b94b70e3fb061ecfeb75ed03753b36264576de65e4ab8454c26e6baf6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09f97830e0d5e9e862c1f59cff47a554

SHA1
946958c2bfe5226ae76644934796f0d7689fa034

SHA256
e50b8140ac4971454a09b95289b4d5a4d94cb1fef858004afb49aab9ba6f6b31

SHA512
ee1b59a28a7fd613ebd7cf187488f41c4df5f97d1cb69c26278a4e40381b991f2fad1cd0d2e848a22a4771a29d45cc229689c2ba984f4efdcadac8966436ea39

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b8914c5d6beb3a6c35a80990f919100

SHA1
f739afb6b3b4afec8a144d6b2cdac564961cd656

SHA256
121e44b0d22c3af95f2e104409d6223440edc2309a6c75181e37a86d52805eb3

SHA512
f58f97ab69de638bb13c149b6c51c2258edbc5eb29dae75c0695ab89e14f9828bd387d23b0c571ecc59e8547106570b9aaaf6eb30758ea20e26186f05baf3e8c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52a91d2224b31011e2bc3a55fd97572c

SHA1
383f77f60e0b42209c5e6b7fdffa66dd3d440064

SHA256
f5037ac40c989beab0715b6db5b35c18cb10abe0695f242fcfe8591ec7f4928c

SHA512
9b3cbc101f492fa0a98a93f81c741c0514865dbbc8131c792efa0286dab0ebcf6c00c1bd123a071fdf99a389af1701102ca1f712894cc5110d4fab80a8a99c8d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5fc29c811184a0a0b81f44c2ef504ce

SHA1
0643f94ccde226ee8f8a194579e0037603c43c2c

SHA256
af1da1db3a08feef6930ae2343bfdf1ba479cb6dbfaa62f94cb9f9ad11b95b6d

SHA512
a79d90bf1c2c666d6e4d138cb246321c3dcf7a9b1a577d39b8108cc19cf07d51940e18336f3d9fc11c9ac70d7cd33696bb46393c0d35daba476e651dee6d7ce9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d4c6e1e4c5f9a268ede2e4062d281b3

SHA1
e70ba69fa69fe01f407fdd5861752ea73a0ccf78

SHA256
ac3a93f80c49e17ca6666f7d9dc94c1e1e0bf31ec5c0ac7a08b461c7094d1083

SHA512
8a70b1d33fc082a01c389f80b1519c83a894db698f4cd7dd2028f240470c9b0cde4171aa8bd73304c618ce1cfc4e19b91d7a1e4f70d186f427f0f5fead05ae8c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec98832f18b6c499b6934ca327592c55

SHA1
fdb0d3e735e57628e8b52f16a3491018373cfffa

SHA256
d9838bd89a35c29ce4324a2a78d8f968cda0998292422f7cd2f3b95138af87e3

SHA512
7f1b2a87da9e79b9a1dd721dcdbc1d513a9281b512ff8c8c0cc9015c4c1ecffb15b1a7ad4a094a9acce13b1a8747afe82b8c50191a59fe7d2d2bc800ad702070

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
240d3335e1ef36f6b67459ba0057de59

SHA1
3447df52117865673dbd8ad9b6eafbf80d12f89e

SHA256
40f0b99335c7164630e642a42b71113c75e90e1b82d2f25510ee6493de3855b4

SHA512
cff4b7c48de2ec211597120e3885668885bad58101e84228e17f8e1dfbc9898b069a6bf5aa9cde9a170b36a991b09d23f38b77cb01dd60fd5688d7f371523e0f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a4cfdf45d53c21a00fab452a8f8b0c2

SHA1
94261d8a7abea79670cae58dbc51ed942d1b911c

SHA256
3f1aa4c08bc292094931a8dddac367781d0185d7ecca6cf39ee8a1cbc841f1ff

SHA512
359046053cba84549e9122889ca8afb5db2e0b6744e01aaf0b682f26dcdfbee1bcfeaa03609b6438010fb7c0e05afc4e93c3e4e84f2d9a95caa8cf434dd7eb75

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65586797f73ee9fac6555735cba5d1fb

SHA1
9961b2b15a2a7c19971d0de5769c737fa2737aeb

SHA256
53515a2827a2052c76d5e9285ba51682fada647afc680c5ba0fb0bc3d9c8a1a2

SHA512
4e510511b2099476c1ba4cd84a6872f20b837d230bd58ee563bd597399a81f4bbd93a0cc2bd2267da7af944ce27cbd2e1b9516e044e3efa26024a274a47cdd61

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6edc3286e7eaf16f4c244b09ec6d2da3

SHA1
701d9d6a3be7bb26bc9ba357434b619f09275f8c

SHA256
68bfaa542be4dcd0e92af3aa4db66a9f0bb882658dff8755cafe25e33f21db2a

SHA512
fce088a914a2ec95a5b1408b0907a62b626084dee538a6dc2fbf832948352d75b6e09be5cfea197a70712e3eea670581a1618ee26ef569af840c48248fe0259c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d33d5a47e37eb1949a07f5d2d2a05671

SHA1
a432276c3182f7f86639ccfd5106def3df907ff4

SHA256
ad86f9b403bcae89d0f5a1d54d24d7b859c92bc5b164777239d78273acda2f61

SHA512
ab93b5926af0feb4772f35858efbcbd3d516b1b8c67ef499f1dea05a559fa676c9a50de7fc9bfef2befa8de96538ed36f1f8e1c61631ca28b20beb03d7c49e7e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b1baf4fb18f65a8c50b2bdf11dd222c

SHA1
84f61331622dd9452983c486e9d69c4d38a5636a

SHA256
a03cb4d78de4ddb6b6e3ee9dfadfbf7add421be1a3fcc7770007f70458b34e92

SHA512
6e4017d7bd220b1fe7c28364102a7fc701e6a4e9b80ec1c0cf433cee1d46832f3eaad883e0d9a42e14ca4a8b443b9f2ed52d2ef6b60b4da943879be04eeb75a6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
189504b00291117b9d7f7c3064797f8a

SHA1
9f63a178988f3563f41c95e6c9f3a668456b0f14

SHA256
821948ea8235d84e787a1eef51c2261e081b62d05d277c0296fe40c5ac5daa31

SHA512
dba1d0c78268e697c5720031da3813dfa600563a916d034262f97cb83ebea68ce46fa3d629f5db04068a6f81eba530917cfdcc81196d174c6bdb43277874dcce

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
863540abfa2254971b90ab82240bd5f2

SHA1
26798ddfc71cd048d8ab224d1588984edee1314a

SHA256
0c923f5e81a33d1413c0f2de18b49a95a2d74ed280f28c7ac87cb5b0ff0b4c2a

SHA512
8f3cfb1974b2274c561f039b78ac418b24b1ebe5c60f4487c59996d9d074ce743717d6be878ed7fcfeac7ed67312743392a36897c39d7cdad01597104a336f5a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab2A5.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Cab337.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\Tar2B9.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar3D8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwF6CD.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwF6CE.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\sys.exe

Filesize
682KB

MD5
3895bf759a11983313477512aea207f3

SHA1
0cbf3387852761f23b18d1d77b8c3940a747cc10

SHA256
96bff9e01f50adbe3195bcc822abc1b57e43899aba8985d9d0b9775a9218c286

SHA512
caa9f6e6268110fb02c67f4731528c1d2940c691213a627501d57257c7f677cb0c24e55b5fdcd4bdc5efda1081d2894f9273a97b9df567c408244277736f3e8d

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
63499c788d559567d077df22538027df

SHA1
e730042967b84c90d5ac356009fbdb70c921dcf8

SHA256
f974b3dc39348774032d4d247103f711c825df06755525900fded8a4c079bcf8

SHA512
6a3ecae0569b0b2b1fdb24047fd746a3efebcd3a2571fbdde776e5cd4bba5e648d5b489a393438ab6288351c76efceb088bb1749e587881423ef253dc7e4c831

Download Submit
memory/1724-67-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-60-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-53-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-55-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-56-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-80-0x0000000013140000-0x00000000132B0000-memory.dmp

Filesize
1.4MB

Download
memory/1724-12-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/1724-58-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-52-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-51-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-50-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-49-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-48-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-47-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-46-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-45-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-44-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-43-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-42-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-41-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-40-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-39-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-38-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-37-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-36-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-35-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-34-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-33-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-32-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-31-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-30-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-29-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-28-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-27-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-59-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-54-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-61-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-62-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-63-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-64-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-65-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-66-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-11-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

Filesize
4KB

Download
memory/1724-57-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-17-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-18-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-19-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-20-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-21-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-22-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-23-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-24-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-25-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-26-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-16-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-15-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-10-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/1724-14-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-13-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1724-2-0x0000000013140000-0x00000000132B0000-memory.dmp

Filesize
1.4MB

Download
memory/1724-5-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/1724-3-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1724-4-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/1724-6-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/1724-7-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/1724-8-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/1724-9-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2648-603-0x0000000013140000-0x00000000132B0000-memory.dmp

Filesize
1.4MB

Download
memory/2648-71-0x0000000013140000-0x00000000132B0000-memory.dmp

Filesize
1.4MB

Download