d8a74d0c8a4936c594e08aadfbaf94856a73a41d96d2ebd2c4a30ced6ef1043b

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
Size

1.5MB
MD5

81d02e4ebb0b666ac89670112663d315
SHA1

d27e6988355cd6ff0a565440dfcbd12955d4864a
SHA256

d8a74d0c8a4936c594e08aadfbaf94856a73a41d96d2ebd2c4a30ced6ef1043b
SHA512

de0731af857268735e8aa75983ba2b18f5a96e1862f8720964b70c4e22a9cb4d7ed1580d52e4e85d481a39560624aaf729f20ee5a4aecba8f06003aae77cd6b9
SSDEEP

24576:Sgzpo43nHOXTy6XyKcxJDiuAImPlDz0iunFaWlYXIK5J52Rc3x9xeGwL9oWku48s:SgzpX3nHOXTyO0Zjd0DeosG1UGW9o3u3

Score

7^/10

discovery upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1488-0-0x0000000000400000-0x0000000000723000-memory.dmp	upx
behavioral1/memory/1488-1-0x0000000000400000-0x0000000000723000-memory.dmp	upx
behavioral1/memory/1488-107-0x0000000000400000-0x0000000000723000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\windows\SysWOW64\galex.dll	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4153D921-504E-11EF-A748-EEF6AC92610E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428710118"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1864	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
1864	iexplore.exe
1864	iexplore.exe
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 1864	1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe	30
PID 1488 wrote to memory of 1864	1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe	30
PID 1488 wrote to memory of 1864	1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe	30
PID 1488 wrote to memory of 1864	1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2000	1864	iexplore.exe	31
PID 1864 wrote to memory of 2000	1864	iexplore.exe	31
PID 1864 wrote to memory of 2000	1864	iexplore.exe	31
PID 1864 wrote to memory of 2000	1864	iexplore.exe	31
PID 1488 wrote to memory of 1924	1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe	33
PID 1488 wrote to memory of 1924	1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe	33
PID 1488 wrote to memory of 1924	1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe	33
PID 1488 wrote to memory of 1924	1488	81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe	33
PID 1864 wrote to memory of 2720	1864	iexplore.exe	36
PID 1864 wrote to memory of 2720	1864	iexplore.exe	36
PID 1864 wrote to memory of 2720	1864	iexplore.exe	36
PID 1864 wrote to memory of 2720	1864	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81d02e4ebb0b666ac89670112663d315_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.dnf1100.com/down.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2000
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:4207618 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2720
- C:\Windows\SysWOW64\explorer.exe
  explorer http://www.93dnf.com/down2.htm
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bef73c3da8b4c2d6d100e18d26c25f45

SHA1
7dc21ae98c10f7ce2ccd60194f9b994595f8b3ef

SHA256
5af2dbb51ab1d1fce099513d22986d7fb7417bbc85ee58366ecafddd3bcce484

SHA512
793c35c9e7fddea1ae00ab8ad7c6eff9e15428ff8a0c0b2abb8cd50187cd64304f372ff608cc312fc19d366cebfb76712337a1d724689304aba4e2448e7eb9b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffa4a065a4fcd05fdfe75865c1475850

SHA1
0ab83f6dbc5424d1bdb67b94513ba2d2ec558f10

SHA256
c77ebbbc2a371a16e799ca648a73fa04ad79992abff3f55360c44f6386507488

SHA512
416f24568822d002575da598ed7c643519844e702ffddfafd3e5ca976281c7554bdc4ef87d9435f6c8a2df1b97a711e1778b90240c1f30070b509a7019afc1fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6362b7378440f05f06a724c7c126784

SHA1
efe342662c3c95b02545b664e6bd55cd77cc73d7

SHA256
05493c18e2067ba8b11736e9bbef8f548ebcef46ff7191978df169419d1d391b

SHA512
56cf2ad5f0313e971eb84c2cde5185f4b93cf18ccbd4f6ed90560fd35753219a7b8854dff64d796b9ecf1dd4b2aa725b790d1d9db78f16bacb8c3fcb8aee2cee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04e10af36f66e441eced8cad5f9df1c6

SHA1
0d38e1923bf88e97ea20c8845ef89e78c1a3027d

SHA256
432df0274d56919a40623014948379b56aacba0ba1f8b43073ff7309bbb6dad4

SHA512
87cdc70b5183d95d15c7456785efb3eed93d0a115cf13ee437bac61ad6095664f43f3830200d123d14be9f1f68c66f4e104e4530f6c040b4e98e9e32b487a351

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6eb5fe19e1a7de4dbf9ae5cfb914139e

SHA1
c9d1274917c0dfe162c247873b9dff2ef1205793

SHA256
b3cd0fdb63e0a4f9beb66c42002674d5abd3137d93d482664252551b1323a94d

SHA512
578dec30b6856990ed63e49816f365d3c958167d4db8d539785e44b3eca69996b01d6125453c8305af27cd711708f845cfb32d8d2d9d31c714135c84f36ae539

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4af874e61fab71e9576f5f63f46e798

SHA1
97ce9f82e99f3cb6f3dbe15165cc2520d7be510c

SHA256
5c1393a4300e229930cf8f4dd8b59b7f3631248fbd3022214c6e6de97089647a

SHA512
1cee82291726de8cb48c3625a3907237d15c44fea5d19e8c65014a26e81a93541c6b8bcd7a53ca026a4006ff4ffe4c9bac21e0368cc1b999c4d077f30afdca60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4eb776fc315ed4348cf1945c1a52a168

SHA1
0a1ce8589d3d3da702ca82c067655a5f18eef6b2

SHA256
30f3e81b8773f48e9d3f301edfc01153bb1ea248ab4d55550320942bb1d6d7ec

SHA512
ee995892319d7f5ed98f53438a78616919915794d836707b21020484d9ac0331518c3df1c46e277666c2b7174f66ab9c07d0038b1c196a7b44f0a67f21fb226a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37c7e7dc9df71a0bc929d84bea4afa31

SHA1
e03ea13e028c487f4899ef6fd793b08fb95b5d7f

SHA256
aa7874a024f87ea584ddb115302b97d205e98dd9f4858ac84726b56547bf8923

SHA512
71d8eaa06f240be78f4c632925ffb6aec5f0e72174163658855c7f4ac983a5db0b5f2dea8e39ff7e80bf4d2cea6802d5d9e2de2d1d3d598cc2179e39e5caec4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccb35a57433b7c2a783dae0190d49205

SHA1
a0d71e205b70e01f8c26d593d26eda5ca3f5d7d3

SHA256
ebbdb07689bf9aed1018fd39841961c8a287f75e37e373bc844a2dd65abde94a

SHA512
0ed3a77338b59fad34abc2c1fcd52f126a6ae284ffd58ac7f90d19ad445079eebd0d360e9dbf09069ae029ff5afcad13fa012eb3232f61232c82c488954be65a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDE4E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC708.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\galex.dll

Filesize
987KB

MD5
31089878db4b2307dd0c50389e19e023

SHA1
9113ad39fcd9e3e342eb2cb9131515e851314d1f

SHA256
29132acb8fe71d80ce0138d9eb5b40aafd2ac46100e9f016c4f9d89a3b2b9d2f

SHA512
89d43fe375d68baabd37f63577447e31b0e8f1ed9f8fef5b3aa4569a2d2ab6a91afcf3208f42f2d031f7b4ec4d22f84e87008ffc18dbf3dd7becd97fe5d8521b

Download Submit
memory/1488-0-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/1488-107-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download
memory/1488-105-0x0000000010000000-0x00000000100FA000-memory.dmp

Filesize
1000KB

Download
memory/1488-38-0x0000000007110000-0x0000000007522000-memory.dmp

Filesize
4.1MB

Download
memory/1488-7-0x0000000010000000-0x00000000100FA000-memory.dmp

Filesize
1000KB

Download
memory/1488-1-0x0000000000400000-0x0000000000723000-memory.dmp

Filesize
3.1MB

Download