ff03b0ffebe6baa781e9a687f7a0aa0ad4e4bf1118df076e917ee2aba6b3ac62

Analysis

max time kernel
141s
max time network
131s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c88ca356f3603870cd9ee3b097e10e_JaffaCakes118.exe
Size

628KB
MD5

81c88ca356f3603870cd9ee3b097e10e
SHA1

5aa8bf6233c6d3d8a7e229d7a858b880aca990b7
SHA256

ff03b0ffebe6baa781e9a687f7a0aa0ad4e4bf1118df076e917ee2aba6b3ac62
SHA512

6826efdfc16775624c59daa552a226bf5601e62a03434979232c934131b31a85ad5224d0b52e67162547b22a095c5080f3448ad406e51b3b13dc85cf69f3133f
SSDEEP

12288:61anROdLvNCrQB6BEZ+mxoeQuRdu8vxdF3Z4mxxKKYqN3gXEZq08:6AOBvgc6aLxvvxdQmX/G

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2312	G_Server2008.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CE033CF3-504C-11EF-BF23-EE33E2B06AA8}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CE033CF1-504C-11EF-BF23-EE33E2B06AA8}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{CE033CFC-504C-11EF-BF23-EE33E2B06AA8}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CE033CF1-504C-11EF-BF23-EE33E2B06AA8}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\G_Server2008.exe	81c88ca356f3603870cd9ee3b097e10e_JaffaCakes118.exe
File opened for modification	C:\Windows\G_Server2008.exe	81c88ca356f3603870cd9ee3b097e10e_JaffaCakes118.exe
File created	C:\Windows\G_Server2008.DLL	G_Server2008.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c88ca356f3603870cd9ee3b097e10e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G_Server2008.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e80708000400010015001b000b003b0302000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e80708000400010015001b000e007201	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = d08a819059e4da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000049797e724fdd614ba3300a22e0034d1400000000020000000000106600000001000020000000c9fe4973bcb41b8dffb019a7098336bac2fd921efbb02b8ad86377a4f8a1e78e000000000e8000000002000020000000a18397326bf761617f00d32402b683f9a1d442124b60ba7adeb3f6ff9f220c8010000000d6762b06fe6384361fa85c96b3f9325240000000adfc0eabb67249d159ed37bebbddd6b04dd92a398963755e5e1c8b0c6b75dfba47a3df62f431b8b86e497c62b5dd23d88698744d8f5dc463523fe756c5de739a	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Connection Wizard\Completed = 01000000	G_Server2008.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9D9421D3-DDFD-4F5A-A6E0-282D7C20C8B2}\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 5005789059e4da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Connection Wizard	G_Server2008.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9D9421D3-DDFD-4F5A-A6E0-282D7C20C8B2}\WpadNetworkName = "Network 3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-b5-7d-4e-08-22	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2312	G_Server2008.exe
Token: SeDebugPrivilege	2776	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1424	IEXPLORE.EXE
1424	IEXPLORE.EXE
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2312	G_Server2008.exe
2312	G_Server2008.exe
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1424	2312	G_Server2008.exe	31
PID 2312 wrote to memory of 1424	2312	G_Server2008.exe	31
PID 2312 wrote to memory of 1424	2312	G_Server2008.exe	31
PID 2312 wrote to memory of 1424	2312	G_Server2008.exe	31
PID 1424 wrote to memory of 2760	1424	IEXPLORE.EXE	32
PID 1424 wrote to memory of 2760	1424	IEXPLORE.EXE	32
PID 1424 wrote to memory of 2760	1424	IEXPLORE.EXE	32
PID 1424 wrote to memory of 2776	1424	IEXPLORE.EXE	33
PID 1424 wrote to memory of 2776	1424	IEXPLORE.EXE	33
PID 1424 wrote to memory of 2776	1424	IEXPLORE.EXE	33
PID 1424 wrote to memory of 2776	1424	IEXPLORE.EXE	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\81c88ca356f3603870cd9ee3b097e10e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c88ca356f3603870cd9ee3b097e10e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2384

C:\Windows\G_Server2008.exe
C:\Windows\G_Server2008.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    PID:2760
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\G_Server2008.DLL

Filesize
578KB

MD5
1ded443689cd64081e135575030e1ccd

SHA1
cee3742d4c06f9600d6c47ac8620115f644149cb

SHA256
53a1c908186746176ecbf3714e42f5fbe1ea21c97aca9bab6169e5e7155f61b9

SHA512
89e73269c2844884a28698df99f5c05fece22c3ad73b5ff5e47b584264dcf0e3e700fb073a23435a7d33425ef29f3602d5c53c0ac5f6b9ce62a69b8b6f03156c

Download Submit
C:\Windows\G_Server2008.exe

Filesize
628KB

MD5
81c88ca356f3603870cd9ee3b097e10e

SHA1
5aa8bf6233c6d3d8a7e229d7a858b880aca990b7

SHA256
ff03b0ffebe6baa781e9a687f7a0aa0ad4e4bf1118df076e917ee2aba6b3ac62

SHA512
6826efdfc16775624c59daa552a226bf5601e62a03434979232c934131b31a85ad5224d0b52e67162547b22a095c5080f3448ad406e51b3b13dc85cf69f3133f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
af291cc6002fe76c5eb3c5f32a5d8e3c

SHA1
4ace9c49186b724d74943ab06cf6e5124bf07a80

SHA256
08db5a55ffa5c179a38fa041de910bc1e4f43e4c5637bd24eff449c7dd362d22

SHA512
aba820212558336714a79314077652b2eca1198ed67f05e98382e5b8dd3d953cfdfc044ba18ae4cf7102f9aa3bd5bc9ecee4975e902d33745c784a61fa9cb3f9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43b45ff8146cf1fd32389e79001aa955

SHA1
b2a0d114768d5a6d6ddd200ab44c001dce39dedb

SHA256
b85ca2418aa9bcb27107a4c37f4365c5a4931b23a9da034a456edaff4b443226

SHA512
c04df0dd4885ec3a26b3123a3201dcbdfe4500692c571d8e45315e46f2122d87986c412e60bb60cf5531182f4f72181120f748863a76e158efe95e32d956dd37

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fc412d1f6f9d9ca1cfa6b32325e23c3

SHA1
1b24e6a093165ea99ab955d4050cc0e7d61585c5

SHA256
8665060de1467369f21e23218fc208f1b4e1d2630700a9d61f4fe1baf936f3c6

SHA512
ea1172c630d32e5607361a54f9b610a2093b3a08e3b3f2332a8ba8471c9c93a4f4c6d27b70caffab1b72326b1b250cf094b0c2d9e41e60085683ee5de9982b1f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78e0525c1db632c513f8f0b1dd6ef347

SHA1
2dc39e5567ef3b4e630c89c9651f97a633513774

SHA256
5b790054071b4f61c4ba652294669924fec0c7e19834eb3d790d314bf759d339

SHA512
19922770420168bbacf3097c0c2ed5ad2616349f4b251cd4a1b93669a67f1d395886a5091acb69fcce88ad3a6eecbaddf1534c312f64030c18e33cf53829ae52

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a04f55b1a7c9dcd499481f8b10619ba

SHA1
8f931231e7a4bf9753ca4b3589a6ae7223c0c719

SHA256
298e6f522ae471dcba2fc6a31940dca3bfb2e8ce392e1499e30bb5290c35b44e

SHA512
5866987b0acbf04600af2958725d0918db78616950f4170a631207d9ba3e0fdbed25fce4d472261cdabf47365860ee7140d9cdab0132e38acbebc8549cbfe97f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30c416b772b34bbcc45aac9d5c35f20e

SHA1
16fc5565d2eae1c31fe2c41bee0f8448b3dd4fe9

SHA256
a0ed7fdba3cf7ba012aa65fb4d425c83db9dd3f432976d2ebce7cebc3484fbb5

SHA512
43128a59c33e322c2c50c3c2977db2e1acb0afab27e2a423c1d771cff7b0a41d2d8c21c4cb2f1182989f4341c81cdac02eb1e4cf48d3d60ab991d0ef55a6c1a3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39464c592e7b350bae27eedf22fa7744

SHA1
3e59aecedcefe7c69c877ac69c006d0f9034d54b

SHA256
d52d47832ae8bead86fbc0eae12cc7113d3ecd1213b8e424a0d992dab65bd44f

SHA512
e95df1be99d7d34a6f05fe2aabccc231333011ee03c485960c90a4a6d69b7334bf004429ff71658c04954450ce104d3a5933d2bc28c0cf311b9a74a5a61f7727

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6659d2f43873a8e6ebf03fac5e8eb369

SHA1
3aee71697400b838d3dcd78a6d1a1a874d98439a

SHA256
a7cf1a7408f3acd3863904370cc66347b596f8565ee288759b67e9d3f61a0245

SHA512
a948e57db93ecd21ad3f18a94067fa198d66d4d195e4317a2e6def03d93d2d3dbc3e29e5aaee3b9e607e3957db0d5055bb7821e58eadd20a32b3b53d05dd21ae

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
455ab1abf679a5bba1784c285c2ea66d

SHA1
353aaf58f2385e9c63c92b8c744b988441543977

SHA256
b0595492c80defa38172823b9e6a0a57ce7befaecaaff9aabb9d170b0a756b05

SHA512
ed59ddce7d2abba9b0a7c87130486ad7f63598d87c7a0f5b3febd083a3991f9b45da4d546ad2cc763f24c217e9d4cc6e0ec0ebbef48a7400ca57f4b3ebe5ab54

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e228ef6b91706a192c9e7b4de1a4619

SHA1
235d2ae375dbcad29325773855a834775a2ad77c

SHA256
3ad09719cab6b80cfcc1aca61588d033987c6219ae487901e4ff12db0d61fd2f

SHA512
64185f47c6c92c69865d797f3c981dce25d7e9345fa7ce188d3cbeff1aafe83828336131b85caf438ad6ac1ed5b8dc17e10a3326dee8c594dd9b26b50e821a2e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4da5828f6f835983260838513fc1b389

SHA1
11a47272b8d31d5a0c79da0ee670f2af71f24cbb

SHA256
988d457e490434c96e95fa1db4f927d57779b93dd580fecf735616f9c1bab521

SHA512
cfec4fd4550e2f87853f397d942276552ab24419b137facbcfe96bd4f297cff1ed39eb19bfd46d2df97bbf8c0935123e4a1a6abc98933dfc9c46fd3357eabfb1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db5691de76c46aabdd377be5fe4ae2ba

SHA1
e2d85eccf5e80093c2e8b2eef66bfb4dad014ea6

SHA256
a2ff937254659a6bd1e3857ead2f9b644603bc73e180040ad1b89f4ee7cdbb40

SHA512
443d6fbe28a2432eb3afffca5d323ada19a87a4a37a5f5e34bc6239107b9731a037acfed2353d6c72b75a8980031d95b0860034d4b32e767e789d91db2cbdb4d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e9bea0c0916463085e76af5db7cbd59

SHA1
4588d43909d32744f6c03994d3bec5cdcfe15b49

SHA256
23930059abbb2116383ab53bfd0c8521a4bd6bf839a81645676eae95a3d52e55

SHA512
abb4cbd870680946f8d1eef59ea096067fcd832bb765336811f4ebc66f563e56c2bfde2ca00eac8aa0e3b9925f96c9de490ae8333635a46ef6b24faea40d5965

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a807c87d2bcfebc867993277127548a9

SHA1
cd8db3c95a90aec3d28567a12f7d568b03f2051d

SHA256
8a5eb8a1e531717d1523d5320c56f252ca15acf3ff4a0056f60b2da8a80702f1

SHA512
f0c0eaa5a3e06b31f8686494c3ba2a68a928a1c27e23e172827fc9164e7a1cd97f4fec26a419eb571d2855a75d3eec7ebb7217ca74167745add06b753c514206

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97ff60c906196445f7b9c04cfafee0f4

SHA1
9035b4c8e4af05f6a3d04e64f4bdef92eed6c8b0

SHA256
5700e263edb148855a604475b8347c551916f6c790e26f618432e919fa91a58d

SHA512
0ebeb6208f8bbc34278c144f67ea25fdc921f4fe72acbb9df6ffac46631f826a2eb12af26f841163f9b430ce535be59c5be6adec246b2d2fac561569a8c01852

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2a1e1da35161cb0d878e854c33445c4

SHA1
31a06d4e8c0a03c016a1fe795d8c4b4e679f536d

SHA256
70032183274fc7de672557687f7eb0b4573856d389f13771c814b01b089cd1f1

SHA512
fee00990ae54c931aee64843bb2723f215b205f6bead710bfb9ef213018ac6c4dc6b24e969dd7ec52ea72895e0e82f566ba9043709aac7a2e88c3b3804c0db1d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c99f6d8b91a1d7a00531342caf5f4f60

SHA1
c6e6cd0c5c2046b1371a11205a0ee94f27b456bb

SHA256
a1c83bd24c30c973b0780e9b213c4fe06698a3dd9a2fbe78b52b20fcdd163a3b

SHA512
1e1b5fa9262b5e4d7376b178c452ddb3bfd1c6713e7acb8d70696aa45a3e7566edb30ff56d49a6e9d93076ed6459f104e98da1dd13da1bb00db7dc5e11296ea2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a8be9908adbea8b818ca08e3a6b3ae0

SHA1
f6a23c2b13681c90a90f304527856a7d5c6ec40a

SHA256
cc82d94fa52530ec1234ec85d90657f4d6d3f84528f641ce59ea0c53e71595d2

SHA512
b2116f1ac4c128b24b731c14db7ee8baea72b476339cc6f0c3237108adf3181c01042f04f437a8f716148958b6466f9b47ff62b46d6d8b143b9cd5ad8845cd01

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f813f7f16954d8d9da7db270ee7c69fa

SHA1
2e03b60daef14d79814470f55716f1eceaaa9f34

SHA256
0b173bb9708932b163e761ccc6c2d2edc751d351d7ea4ada250503be21336598

SHA512
ca42e5af5465155cc058ead1dc88e9985ffd9bb9b99fa12caed09886c281425f78cc2495a92ae5838baf6a313cf9655fd265a7b300b4388749e2e4d112633cdb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
2ec3a7cc3a38b8be8a80ea58476c48ae

SHA1
d172cb090e1a0296489401a9ff6a18ff2f526d3b

SHA256
23b176cbbd13c9d37de93bb76910fdb76eefe33a704fbae6c1652330e7920ad1

SHA512
10b5ac2f2c3ac0c4c07e04ef85b4f0a64befeee1bbf3a42ff180baddb8bc5048d792d646af7a8098ec3e36bfed861bfe082fb001f754ded471b20fbf4d2b1f8b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabC6DD.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarC6EF.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarC8AA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwBB44.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwBB54.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
memory/2312-638-0x0000000003AA0000-0x0000000003B37000-memory.dmp

Filesize
604KB

Download
memory/2312-710-0x0000000003AA0000-0x0000000003B37000-memory.dmp

Filesize
604KB

Download
memory/2312-709-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2312-19-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2384-23-0x0000000000390000-0x00000000003E4000-memory.dmp

Filesize
336KB

Download
memory/2384-8-0x0000000001F80000-0x0000000001F81000-memory.dmp

Filesize
4KB

Download
memory/2384-4-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2384-5-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/2384-2-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/2384-6-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/2384-7-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2384-22-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2384-0-0x0000000000400000-0x00000000004FA000-memory.dmp

Filesize
1000KB

Download
memory/2384-3-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2384-9-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

Filesize
4KB

Download
memory/2384-10-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/2384-11-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2384-13-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/2384-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2384-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2384-17-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2384-12-0x0000000003210000-0x0000000003212000-memory.dmp

Filesize
8KB

Download
memory/2384-1-0x0000000000390000-0x00000000003E4000-memory.dmp

Filesize
336KB

Download