01b6204594daed6f8fbb381724655f670889e64de3be5bce5175f22ff43afcbb

Analysis

max time kernel
139s
max time network
138s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe
Size

912KB
MD5

8546f314b623668cf4fba82d90efc9d4
SHA1

c95f256c9a220a38e56846f8f3d5d178c799c951
SHA256

01b6204594daed6f8fbb381724655f670889e64de3be5bce5175f22ff43afcbb
SHA512

560232492b5f8cf13f482ef34b3b180efe9275ecb37ee8386018f66d4d9c8c0e2639a5e59adcb9c21baf14638d336bc5c1035a243486d25dc57a498fd05f3afc
SSDEEP

24576:J7Cx6XXWW5A46usy58NjSi/bavP3m01Gr7c:J7f/ikW01w7c

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
532	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2932	Server.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AE77F5C3-56EA-11EF-B6F1-C644C3EA32BD}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AE77F5C1-56EA-11EF-B6F1-C644C3EA32BD}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{AE77F5CC-56EA-11EF-B6F1-C644C3EA32BD}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AE77F5C1-56EA-11EF-B6F1-C644C3EA32BD}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\uninstal.bat	8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe
File created	C:\Windows\Server.exe	8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe
File opened for modification	C:\Windows\Server.exe	8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe
File created	C:\Windows\Server.DLL	Server.exe
File opened for modification	C:\Windows\Server.DLL	Server.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ADCE82A5-EF65-4D78-9703-C55613C2FFBA}\WpadNetworkName = "Network 3"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	Server.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0101000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ADCE82A5-EF65-4D78-9703-C55613C2FFBA}\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ADCE82A5-EF65-4D78-9703-C55613C2FFBA}\9a-ab-10-4a-8d-62	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AE77F5C1-56EA-11EF-B6F1-C644C3EA32BD} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807080006000a00070020001d00b00202000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807080006000a00070020001d001d0300000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005151792783430b4e9d970c775c2cba800000000002000000000010660000000100002000000093a75f47a820d1d658f5699e77a535b5b0d5fef78201b2256a2aa2cd16673f0f000000000e800000000200002000000038177867812f5e7938ca0e0623c50e2e444d057acf7a28dbbc8008ee0bdedf2750000000cb881f49fd9996e4ce728ef6263e5c132ae40684dfd55eeeff1ada3b86cdf0446ec1be6bd2904a6ca7a34315c708c77d29c4241c3b3f2290a76453ad1e1602cda35ef0a6497ec73ebecd8ae4b0dfe5a840000000bfbed22c662fa0643590459bf06ca6280d22d4fdafe6fad81c42d34cdba5c891d74c47a46829b843f24e46eaa6dd19ba52ee9e87086420f12c292cd62c7f46f3	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 20c9ff70f7eada01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 2408	2932	Server.exe	31
PID 2932 wrote to memory of 2408	2932	Server.exe	31
PID 2932 wrote to memory of 2408	2932	Server.exe	31
PID 2932 wrote to memory of 2408	2932	Server.exe	31
PID 2088 wrote to memory of 532	2088	8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe	32
PID 2088 wrote to memory of 532	2088	8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe	32
PID 2088 wrote to memory of 532	2088	8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe	32
PID 2088 wrote to memory of 532	2088	8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe	32
PID 2088 wrote to memory of 532	2088	8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe	32
PID 2088 wrote to memory of 532	2088	8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe	32
PID 2088 wrote to memory of 532	2088	8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe	32
PID 2408 wrote to memory of 592	2408	IEXPLORE.EXE	34
PID 2408 wrote to memory of 592	2408	IEXPLORE.EXE	34
PID 2408 wrote to memory of 592	2408	IEXPLORE.EXE	34
PID 2408 wrote to memory of 2696	2408	IEXPLORE.EXE	35
PID 2408 wrote to memory of 2696	2408	IEXPLORE.EXE	35
PID 2408 wrote to memory of 2696	2408	IEXPLORE.EXE	35
PID 2408 wrote to memory of 2696	2408	IEXPLORE.EXE	35
PID 2932 wrote to memory of 2408	2932	Server.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8546f314b623668cf4fba82d90efc9d4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:532

C:\Windows\Server.exe
C:\Windows\Server.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:592
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2408 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Server.exe

Filesize
912KB

MD5
8546f314b623668cf4fba82d90efc9d4

SHA1
c95f256c9a220a38e56846f8f3d5d178c799c951

SHA256
01b6204594daed6f8fbb381724655f670889e64de3be5bce5175f22ff43afcbb

SHA512
560232492b5f8cf13f482ef34b3b180efe9275ecb37ee8386018f66d4d9c8c0e2639a5e59adcb9c21baf14638d336bc5c1035a243486d25dc57a498fd05f3afc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
64f02e5821745c02c2a55e9a85b43805

SHA1
64e4eaab63c93e4e18358def24ec008c4ae60d4f

SHA256
b872ff8646fde45b64721dac07fac29341bb657db5e653e4564204fbdfe3d687

SHA512
30d9a7f9717afd02c8265b7e95856e687561568eb5beb51a390d227aa42ae2a40dc30b5effa85510b56b438f0f7f49ebfb5b77e95b7f73567d14e17204ba8cf5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0e015fe715081576a5761de76eeb5d0

SHA1
c9b099277b0e24061fbdc09ed1d593775a1b407a

SHA256
4ba949e8587414d7a0b0ffa5f331ef13cea1c3dbb0886f3e7c7293b1b5d9580c

SHA512
7bd81ae15012d2e9d186abb36d812f95a3119a920662fd6b6a27573d31e67b82e9154754920965a42928aee261b54b50a0663d4d62b1b02e5e8ba1173a99bd4f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
302fe1c11005f13dce60cb45f6144cfb

SHA1
690c6245c6f4b72657b0ccb37036499c1e4534e6

SHA256
2545728754e9c5bff03f544622aaf0833a3cd2e8002a0e0af259043243985668

SHA512
2577af864a1a5a3ba5328a5caea6fe92858ad92114ff30551e050537f8950ed43f35033b7d7e55bc99ed0054d8bc7f83e82026dc396bd399e3b1f2143d18f2b9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b74e4b375734be983b9bcb3c4c891ad2

SHA1
76788ab23d0efa501bedc8017b3f62b31c4f08cb

SHA256
4a190476b1193aad8e2c506dc8358970a5db1eab5e79cfac3a627e3ee471b92f

SHA512
cef5b9aaa8e220e365493baacecd37fa1436bd7e10f39bf69f5809d0f45f100827f4f8aacbbc428aa7371300ac453393536c59704ccb0b3909d51eb8b75304b2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c17744d597c6b6735a197f20a9e1ff2

SHA1
03c82026fa002bfb4c3f4ee3128392c14f6791d8

SHA256
a4a10d12a1212fad691f229dfb470e132c1c2b41d1f3c3291b8c7aa0fff8e55f

SHA512
bd74bf6a02ac38a09b26bbfcb66969ba84ae398de0aa3c4a30700d2fd1cb6688e87aab468609a4cea2f70649d0919a648756b5d34a4e93a94d735d7ca5f3cef4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
345c35802e7782c76b2ffde793aa4bf7

SHA1
0876a79c0ee3427ddb03b3a2d774a397498c224f

SHA256
a5cc475593fac4d61a1de87ef9c514f90054feca1d0a1a8e18b26217f1cb68f0

SHA512
6ddf7aae1118770a8de271bca136066f33a9c677a376edb68f47dc19e4cc9627a8cb27872b9508ac90d1e5fb76fd8136392f28bca0a7176140a4a91730b98f5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69f6c1b15adb3b401db705330d586784

SHA1
cb95d1e279fb312b1b8454aff0c187abcb7486a6

SHA256
e8871fb6ea4e919eda7160b00a172de429460433144277741ba5ec01074937a4

SHA512
6a673a56b2ea81a22255cf74b84b2cef7c3a12e080321719ea2459751099f46f98491b0ac8b31b23a8bb0014ea4851c63a9a891b7f3b658277442830b2843fbb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e12033d3aeb8d56d662777a23f8532ad

SHA1
727b58d1601a7be1832f9fc87c3a58692f494c9e

SHA256
3a2c5628ac2893190e3f8519d0efdf169826121026362aa6df65613875bbef37

SHA512
081fcf7fdff336bd5936643452dbf94a6670ff57e265ea8b44d4df7e950a5bf85233ec9ff66f9c4b26e711edcbc9ad1d4a1eb279807be0b6262898d6e238e9d2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12285dcb07331fdcf3be640c33f68ea5

SHA1
fb9c57b17f35a5a11c0d2b62c828c53e546944e0

SHA256
505a19df98a0cc666da9bd0136136744b49500ca94b72cf9d45f7ba5c1c523d0

SHA512
cd83619440a0af1c6797ff5d1a187ea197409d36bd331267c94dcbf612e2b320e785af94d472c33f8e1a2c58246540bf152a837438e594d4e695c17c2dae49a4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8722c6cf2b40ede08bd514dd3e731ba

SHA1
d695ad993cf42267a49967f74b8f3bbb07af006b

SHA256
71fbf51909ec34d2b0e0a3c7298c407cb3d8a3b993cd750ce276d5fcd46e3efe

SHA512
e7807046d0acb677de0ecf3e8dabf48525481482fef892cf75ae201d9af5d7817bc4356787d860586ef4df18752811ad9260ebf475591a6c0f0da8e6d97bbb66

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7464a9f87d68617c3e612bd5a44a1c8

SHA1
2dc941ff6242b13040ab56544d1811543659aa51

SHA256
f1834a36c111c3f19087c5f4f462a0c9279a1fd5c22411e42b39c0a052133a31

SHA512
b1abccf327d7d169e0aa94b5a53544cdb9066fa2424b9e4464e88ab336d53e6d2239146cb90783a52918e9a724f20fb73f50c1552ac0ea0b077c313bf93763f6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
380676af6d6d88361bf68bab24a11daf

SHA1
51a727cab507d079fe35c94403f987fc98da2d2e

SHA256
a331a8c97b0f626b088a3a87bcf44b963d970d72002cb5119c441947018e4c45

SHA512
c8de9a59d834df0ab731a75e983424e475fd6e6eb2e2c1d918b15ab74b73652fec0c40943c52f4b19afb6620980fa0e08f190d0753000eebf018a7153cb931f3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fb560d6b3668925d5014d27b96e4859

SHA1
50305524c6688b0cb25870bb69f31ddd75988987

SHA256
31f3a43f7a008fbbfd42f20b0a3d967bcc917a6d1724e0b737149e048a21aa0e

SHA512
1894deb8e719691e390fe72cdec0b8171b97d43c4c416a3bed34aa23c83f0a4f063ef0443647039c2b1d555d46fe0c22a3adebabbd4af4f83114b5a05a27f8e1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70faa904a661edcb2120a647593588b3

SHA1
cdfce1a11fc0d59c22a06811a1310be65fdf7ef8

SHA256
83ffe3b5560def7e218a4ac40f1c52c021ea8d061e3f5067af9a025ae8efad91

SHA512
3a7f9d2151d79023fd282dd1c6d1a525bc39f12505d3025c2204ff388ac9c7c5ef0fa00abb479b24c7a37ce0bc2dd5412bb18d1a3139db910f9895591ced1448

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfa74331734ec78deba2cee1f8efe357

SHA1
fdc5b519bbc9031a31048e8b8b5a001d81ed0d65

SHA256
983fb94c250ffa78535b10b75939b05376cd5cefbad8cb72569ddfa9bf00cb4b

SHA512
f1c5e85d28b5ed913824ff2c183e422639f499ac97d44f9cdb3f9ada61e4e3010dbbce15a227d6bfc88bb932bc2375b2e9ca90abbdf11ccdd46893706e51bc67

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78d2f7c46d6694d8445789224547983d

SHA1
9efe2bf195bb7bf71c6cca221740c12dec89899c

SHA256
f25f489b62ea93e9e4c65555ac1f00ae0346fb460792d92d181137422f2375b1

SHA512
30fe096cc64ace1cfd617ba14f748287e7fd22808777873edab34ba769f38f25b18aa627d6c1eb5f7fa57395ec8e8166e0ea442f3a7c4828ff9ff50335de5c80

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfe74150a446d686e491907c651aea2f

SHA1
756d0b8df873aad1281a6e49979b75d5ccf53f05

SHA256
c662753aeed4e851136d17bf27693ca17cef3f7de808d93ad87fbafac27ca64b

SHA512
d4c8e68ceb890a18ff75271d8400edad99f618e76bdeed0c0a89406513c25c994b73fcfd6464a409b1afb36f3774b45114ba34938f7034de09d6b4d734dae29d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cea118eb02610b63b80820573638e92

SHA1
3855f80da8c4af38e5dac63aef762e631910e6cd

SHA256
01a565951567b3323a9b647597d89c28d30a144f076edc04a5cf62c4d606b793

SHA512
9b1149e8ba530c4a4468d54fb4a994bd8d64237bc48290e0486a7371b80d6f9a83e6896d027a08abd8776a3273127eec5debbbb923cc99f810916721eeecf180

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
6f45f7d203a0d46e47f76564134cc129

SHA1
f47a2d4b069c6063cf353f411fabf54805ef1416

SHA256
3b6e3387eeb2e636d38ed9eaec55242ca93e76088ad0680be6c6e94c9daa57b8

SHA512
e968bf97a17a9ecbd088cc12fd066c99a9eb40a02164627713f2f5c4c0203e5eef3bd3b5b80a10e4dfb33dfe25e5072842cf877a8560eb7082fd8945cad24bf1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
10999844877a81b62873fe0e52af2e25

SHA1
b69b795b40030a94b6b4b0654d3f26355a577d1a

SHA256
059a4bc2bfb37a4fb1c555bf3929574ab9d2420f4f91739edf1269ebbdad832c

SHA512
ba2018f70c9e53eef47a9043eb94e9bd81639e1a8450b3734c437a40a5d1d810498fb1a44c534e122f99bb0f5ec98a6762cb0dada17c5899167efab4fb0ba01e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabFA3E.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarFA3D.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarFD12.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwED2C.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwED2D.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
ea285722aad65c0abc7800b5431cf3e1

SHA1
0162951438db8159041cc26834ae69d29e73a5c2

SHA256
4155a87f42c4cce6662ec9cc30f71ad7a06e4de7e821174fb70d297f4962b8e4

SHA512
7469a4f6ea0f642a17517e4df01f0ae8824c16907d565310567d5d2efbd975c365c8c5faf55938b5f0edd5e095c57562d8514b2b04bed263ab5d1c530f49b353

Download Submit
memory/2088-12-0x0000000013140000-0x000000001322A000-memory.dmp

Filesize
936KB

Download
memory/2932-208-0x0000000013140000-0x000000001322A000-memory.dmp

Filesize
936KB

Download