3e17f33f7db9bd7b69209d2fcee449fa85437fb466e5523fdd6a4220fd9d0d86

Analysis

max time kernel
122s
max time network
137s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 23:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe
Size

656KB
MD5

83f9aa36f2db9b9d94b7a1b06fa78e94
SHA1

5904b9490847fdc6a2267d2de21b4b4f39695d8a
SHA256

3e17f33f7db9bd7b69209d2fcee449fa85437fb466e5523fdd6a4220fd9d0d86
SHA512

e85a02ec78f27f804b5608c479461a00a02f2c382e3998f243777be05f63b7d16037f4c4dff5a2422c9681d6e3872a27835289b84bdf9fccc98c215b2c0c49c3
SSDEEP

12288:l6r1Hwo2M51BnrBqslQ430ctbFmqfxF3Z4mxxVEb2WE9wDBFG7fxK5E9d:svRBnrBqgRP3mQxQmXVER4wdFG7z9d

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2892	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2680	G_Server.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{10C42D53-56A7-11EF-AB71-E6140BA5C80C}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{10C42D5C-56A7-11EF-AB71-E6140BA5C80C}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{10C42D51-56A7-11EF-AB71-E6140BA5C80C}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{10C42D51-56A7-11EF-AB71-E6140BA5C80C}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\G_Server.exe	83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe
File created	C:\Windows\G_Server.DLL	G_Server.exe
File opened for modification	C:\Windows\G_Server.DLL	G_Server.exe
File created	C:\Windows\uninstal.bat	83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe
File created	C:\Windows\G_Server.exe	83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G_Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@ieframe.dll,-12512 = "Bing"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	G_Server.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Feeds	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e80708000500090017001c001d003d00	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	G_Server.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB0602B5-1DB9-48E8-93B1-B509B67AD4AE}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{10C42D51-56A7-11EF-AB71-E6140BA5C80C} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Connection Wizard\Completed = 01000000	G_Server.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e80708000500090017001c001e000c0002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a6-03-51-b6-45-0a	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e80708000500090017001c0017004600	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2764	IEXPLORE.EXE
2764	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2764	2680	G_Server.exe	32
PID 2680 wrote to memory of 2764	2680	G_Server.exe	32
PID 2680 wrote to memory of 2764	2680	G_Server.exe	32
PID 2680 wrote to memory of 2764	2680	G_Server.exe	32
PID 2764 wrote to memory of 2532	2764	IEXPLORE.EXE	33
PID 2764 wrote to memory of 2532	2764	IEXPLORE.EXE	33
PID 2764 wrote to memory of 2532	2764	IEXPLORE.EXE	33
PID 2120 wrote to memory of 2892	2120	83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2892	2120	83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2892	2120	83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2892	2120	83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2892	2120	83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2892	2120	83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe	34
PID 2120 wrote to memory of 2892	2120	83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe	34
PID 2764 wrote to memory of 2576	2764	IEXPLORE.EXE	36
PID 2764 wrote to memory of 2576	2764	IEXPLORE.EXE	36
PID 2764 wrote to memory of 2576	2764	IEXPLORE.EXE	36
PID 2764 wrote to memory of 2576	2764	IEXPLORE.EXE	36
PID 2680 wrote to memory of 2764	2680	G_Server.exe	32

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\83f9aa36f2db9b9d94b7a1b06fa78e94_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2892

C:\Windows\G_Server.exe
C:\Windows\G_Server.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2532
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\G_Server.exe

Filesize
656KB

MD5
83f9aa36f2db9b9d94b7a1b06fa78e94

SHA1
5904b9490847fdc6a2267d2de21b4b4f39695d8a

SHA256
3e17f33f7db9bd7b69209d2fcee449fa85437fb466e5523fdd6a4220fd9d0d86

SHA512
e85a02ec78f27f804b5608c479461a00a02f2c382e3998f243777be05f63b7d16037f4c4dff5a2422c9681d6e3872a27835289b84bdf9fccc98c215b2c0c49c3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a3bfcf9a44b487ddccc5142e11c0e842

SHA1
cd21ef3994ad7152d69272d9a58a44b9816c1d3d

SHA256
8e7a84b2ff26a21766b969e2079e6ecf83e48f300484dc96198ed768a0250686

SHA512
be2dcc517fe3fa47e79407a38b24d9d7a55b592aec5226e1ee634d524549aa09dcff3a74876bb6cc8d5741a4c161ebdec815a23ca81acc4a1b916e0f82290767

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
165ee39f1082702eb38bd955a31c0880

SHA1
dd6b3c1a67bf506934676e8e74a7174fba4b3d8c

SHA256
9ebc8404e47d636cbec755948bf9681940edb872f2f704fdf9d490260296ac68

SHA512
e325f7d5a9384897c2c370bcb78b2ff3d73ae12a6a0df2baa7a146622c1b18bbd1a648e341a0efc1b1dd1f46089c746a6d48b5d9bcfe7d321f88326512a9f2d4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bd0ef89684b888623177408cf781392

SHA1
604041a2f9b567d264bf3557d193e1bda5c57686

SHA256
b40e563875d5a64b874e0cd0e86a57fd9efba8e631030c5de80cc2e25f40eb57

SHA512
35b2b79ff28ec8c455088810b0d20a85585a3cf541f079fdd97093ff8596b5d9e26f6f09a8c2437b244e65da6567e94c605e23c71f53e97efe03033328f94d83

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4370fea9745ff3b06ffb44702d73ce30

SHA1
235b94150130851c97c4c21ac590404d3be3784c

SHA256
de1492237e563858673e57e33a1e731696444c8a188d4661c8fa38654cfe5222

SHA512
cf3290fda24f86c50d92f4213696669b07584278405ee62ba2f5819849fe28810dafcb6cdce8f306cb5877443caf507d196c2bc4012c42c87531b4b83ec95cb9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f05701745a1b9ff7ea5665250cfcb243

SHA1
fb718b26c9d322c0e4ab2c1dab6c281a366073b9

SHA256
0c42e61f49faaa9141607564313537615efa553d063c2472f3f72608c838b54e

SHA512
aef7f6aaf52642fd515c98624af17948ce6e636e1d93069eaa0bdcef4e0dafbd744aac54b2160514da05774397d556e5efc263435284735c6b28cf16230400b0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbad98d693f975f60d0dfe96aa15d46b

SHA1
7bb63ff3dacda36221ae6c8ced567b1291d68c20

SHA256
cd03cbc98828219f919e7eb90462c8b968ba3272f4a88e5f3bd96fbd8ef0512d

SHA512
0e0816122f77391b0ab9d9dfb860d8c9c14fc7b92e1cd2963d57b031078d9ec3a0587d553d06c0df74fd406e7571fd919ab8ceab2b8ede16d3a89f3c4079209e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b31126a524a524efd0f180185721a72

SHA1
d17ea8285c8442f23fe7fe8754c38ac18120e8a9

SHA256
cadc71f66db39ae78f03e42a48cf1f1647275b9b54dd43e85bb1caeb6f3fe87d

SHA512
375f96a8aa2a201b2c9144761b1a520217476d16350766bef3d1177624f694ab3d0794b60b68da38a7af30d7d12934ff3d33c9f8a39aaeb83066ff6d8f01372b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e159f5d1c4254b96298e84445ba6b3ab

SHA1
5a187c30171c7f03c8783fca22f69d509b591ca4

SHA256
291f9fe49145f005618ed9cfd405f3083acf79ba1293df18ce63206d394b8740

SHA512
c88b81540ae043f2e8c84e28db926cbb123053641602dd69d1294662ccf0533a4c7bfe9b81ffd02f016f69ea65b0b8d4725934312816cf2d909655e5a586160b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04be717195a01bc9f6dbdfd0b2de956b

SHA1
53b3b85c6728ee13008c7af21633037abd19e821

SHA256
af199a2b01bafeea5f27dd168b1d49f5165da504da84c4d993fd69b3cdc413f2

SHA512
ee30cf81b16dfbf5f9e985088180a35f2c4d61438e12fe68c02023d25c9a32dbfeec6e931de74b64326f16e297ffde5010ca8983cc1d524419f2d2b6efd9779f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
059fabad4994b8ea593a8d11999599b2

SHA1
8364d8746e61d57e92c955b80d3537da8b93e2dd

SHA256
c060c0d50f27dc7c68a6179cbc61a85caf4f8af3e196f1bc475b0374452c8ccc

SHA512
7f22d952d3ea060c3e04ee90875d3c8c262c768eeb7d98fb3e6d365866c855831630852b0f6fad430ae6622ef91fe161d761f38202a73c985af97cbb00aef1c9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07498b73469a4cca7cfeeb29c2e2a1ae

SHA1
1b66082c92804eba3476ccb08f9509c5da69f595

SHA256
a32273e83882108772a7e7d6749a7ab1afe9114b7b328735d3bf0cbc0c25b7c0

SHA512
a647b858b0c7234fc0fba6a03b3c33eb0edf1f8cf9cee13bf9a5c869f1b835531af9704914aabec01a0192c44bccfb0a8916f6800b4d15031da5376bcd6b6142

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f822bdd9399c4d87a227556a89955417

SHA1
ff14bd1bbea022530764306cf7b29deebacde335

SHA256
4f4fcca50bfdf7973726ecfc5c2e805e24680114e3c5a075b7eb6db01ff93f74

SHA512
2428e3c3af3329d8785e35033aef496d06834c904c7c58a238ade6c7e0ca7d03538d153f8a119156abcd36a9e0bbea082f0e19269a637b6276f6d1023eefe017

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a52afaa9a644bea146b18ca0faee293

SHA1
dab8be21b36385eebe5f92746ee3b812a27997bd

SHA256
c969ef8c6a452d349bb7631cbe937ee993adae18629eb49eefa7334ccf584a13

SHA512
e53ec8ab864c6ea42c6929d995e63a2d08dca8c2950df96faa26922befb05ddc2884a39ad60a52848d75b67599fcf5140fbecba397163c621d9d0ca9f03a9134

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f13dacc4f57f199813617ee5df65180

SHA1
92f32354a39bd926a1b65744e3842763561a437c

SHA256
3e1ca271d1824836b78b46b7c29486baf19512ac52b5c2e4603f76a857f80003

SHA512
f2586753ebe07214414f809372f27a2ff165c9685c34d9aafbb07c7cf13299669709517dc87d1e8eda999f718a686404b04c5ee396b0e6f5b7e478957984eaf0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
397e70d4f187c2d0057f41b802af9cda

SHA1
6b33dd85b2e87c625308ca7d59b03ea9ce93c412

SHA256
aa5d98e00b8247a1005a261e458897b48352c2f1fd6d46adaca05421fc374dd4

SHA512
d25c5a26c548c273589d2abd95f15f7b1c9a313260c290833cd9c8610af2d43fad051f262be0e0797a37341f0148791d7a7d9dc1da76aa8de8f4f571bf2f1d5e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7aead05257269a0cc1d8056a1f2ceee

SHA1
afea25151ffb699f65eec9ecb12cbadac4bd32eb

SHA256
6e0f6da439a1f631a8ae70944873afa0458872c8f0721b77ee66647ec44a5070

SHA512
c6826c8c4cc653ba87d7287168e3c82433a886cc87efeca6c12ec5719cead8b30a62ffaf9f89d16a29920744444bdcfceef14a862a92fb06cde9764a878f5667

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b575f06fecf9f443845209627a85d912

SHA1
c155e400c188a703efe47aa7c534f6a141e57077

SHA256
3a956b7d582b516c59445d8b7d8ae4e97367d0799ce2c36d9a9b4953d8f3e957

SHA512
51c085ef9ef46365c990b03765ef7f4fde32f440bc21497a77896a3be5ca637b2532b4681b8ba41ad38b6573bf807c35ea1a5d722dce581ba0d939ebe2ea6666

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62e2f3b916952d3165e0f855b7253bb7

SHA1
9ebb7b8eef483c3db267d88af93bd52d72e61d88

SHA256
7a774cd34ca52a0108deaaf9392bb9844e54c90dca0fbbbb690ad201a66f6650

SHA512
7c1a303394e13252324345f71cd42fc7ce60ba4ac1888531041346331ca05df5a09d6cc32542aa4755aa521e58759c3ae91beb4524785d1db7018b5c14b537d1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71c7561580057ea05bd98265cf4bc370

SHA1
4ee718710fa050b90fc7b8a36af585e3dd9f768a

SHA256
640eb0ce0865f07c28769041fb168cec5f8135e9749e946aac83750aa92e03a9

SHA512
5285eb37e1e2f5fe01610ff2c3b4e52c7cc38167d94327c3a2aaa9760062f96c3b75f5369a487d472f9ea75999eba7cd0d09c6e60c26257e9442739173f6623f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
0b078d5e64813c222107d2107605753c

SHA1
fdf38497b0c3c7f400ffd17bfc42512b1aada977

SHA256
a87073894177683e6c98c880418bc70aaad73bf49b102aeafb2e0f39f78d9ee5

SHA512
2de6fceefaa6c15211b9a9b03a45e3809aada55ccba04c595fd55f69eccd1f0584a16d6ce4c0097b8fc97ed4110416a38a4844bfeaefedfd4dc57b245180ffd5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab110C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\CabFFC.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar1010.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar12A7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\www55F.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
f6a4df68768bf6af86b8e139d5a70d8b

SHA1
c40ce980ce7007f624c11d6ae9c918c5155ae5a2

SHA256
d5a35a8ba274aab02655f713f3701bc1d49c8a6c2448e8f74feddc1732d37d2d

SHA512
d7c0caa310815065b918641fffaf6ff463e8866b8b080f0a8852adc8d7901cc4080878e28bdc68ae03bfc6b8d67660c9bf5ae1491aaa6213501e6d42a409612d

Download Submit
memory/2120-5-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2120-10-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2120-1-0x0000000000450000-0x00000000004A4000-memory.dmp

Filesize
336KB

Download
memory/2120-38-0x0000000013140000-0x0000000013254000-memory.dmp

Filesize
1.1MB

Download
memory/2120-20-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2120-2-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2120-3-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2120-4-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2120-37-0x0000000000450000-0x00000000004A4000-memory.dmp

Filesize
336KB

Download
memory/2120-6-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/2120-7-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/2120-8-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2120-9-0x0000000001D90000-0x0000000001D91000-memory.dmp

Filesize
4KB

Download
memory/2120-0-0x0000000013140000-0x0000000013254000-memory.dmp

Filesize
1.1MB

Download
memory/2120-11-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2120-12-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2120-13-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2120-14-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2120-15-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2120-16-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2120-17-0x0000000003110000-0x0000000003112000-memory.dmp

Filesize
8KB

Download
memory/2120-18-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/2120-19-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2120-23-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2120-24-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2680-26-0x0000000013140000-0x0000000013254000-memory.dmp

Filesize
1.1MB

Download
memory/2680-178-0x0000000013140000-0x0000000013254000-memory.dmp

Filesize
1.1MB

Download