2e0aea3a2571be8e14f141fcc9d33e65b529adc796ddf786b79513ff293f6299

Analysis

max time kernel
68s
max time network
128s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab9d49617985434f8d96618d4e757fc0_JaffaCakes118.exe
Size

302KB
MD5

ab9d49617985434f8d96618d4e757fc0
SHA1

8c80a5a0516e0140bb12e3f6f8e18bfd10a1caf8
SHA256

2e0aea3a2571be8e14f141fcc9d33e65b529adc796ddf786b79513ff293f6299
SHA512

65527351a28c487bd30aca8972db01afd3f3e87804f19fbad838ed52446185e039ccb30154955532e980a49fc012a0b7fe0103fda4ee6cb656a6718077ae6026
SSDEEP

6144:+9uUeL9LrScc/jWK7qqztM5UaXKfz9ik3cqxhYd+3tBzCmzplMd:+9b09LrSzjI5U1AvuhYM3XdzplY

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2768	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2396	ghost.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{74A20B61-5E42-11EF-A4F3-F6314D1D8E10}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{74A20B63-5E42-11EF-A4F3-F6314D1D8E10}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{74A20B61-5E42-11EF-A4F3-F6314D1D8E10}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{74A20B6C-5E42-11EF-A4F3-F6314D1D8E10}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Outlook Express\ghost.exe	ab9d49617985434f8d96618d4e757fc0_JaffaCakes118.exe
File created	C:\Program Files\Outlook Express\ghost.dll	ghost.exe
File opened for modification	C:\Program Files\Outlook Express\ghost.dll	ghost.exe
File created	C:\Program Files\Outlook Express\ghost.exe	ab9d49617985434f8d96618d4e757fc0_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\UNDEL.BAT	ab9d49617985434f8d96618d4e757fc0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab9d49617985434f8d96618d4e757fc0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ghost.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e8070800010013000f0030001900a902	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Flags = "512"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Flags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Flags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 001112374ff2da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-10-fb-c1-ff-27\WpadDecisionReason = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\KnownProvidersUpgradeTime = 804e153a4ff2da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{417C53A7-7DF3-48B5-ACDA-ACF489BC8AF7}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070800010013000f00300014006000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = c0d316374ff2da01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\ImageStoreRandomFolder = "a0edgqo"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{417C53A7-7DF3-48B5-ACDA-ACF489BC8AF7}\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2300000023000000430300007b020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2992	2396	ghost.exe	31
PID 2396 wrote to memory of 2992	2396	ghost.exe	31
PID 2396 wrote to memory of 2992	2396	ghost.exe	31
PID 2396 wrote to memory of 2992	2396	ghost.exe	31
PID 3068 wrote to memory of 2768	3068	ab9d49617985434f8d96618d4e757fc0_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2768	3068	ab9d49617985434f8d96618d4e757fc0_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2768	3068	ab9d49617985434f8d96618d4e757fc0_JaffaCakes118.exe	32
PID 3068 wrote to memory of 2768	3068	ab9d49617985434f8d96618d4e757fc0_JaffaCakes118.exe	32
PID 2992 wrote to memory of 2788	2992	IEXPLORE.EXE	33
PID 2992 wrote to memory of 2788	2992	IEXPLORE.EXE	33
PID 2992 wrote to memory of 2788	2992	IEXPLORE.EXE	33
PID 2992 wrote to memory of 2696	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 2696	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 2696	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 2696	2992	IEXPLORE.EXE	35
PID 2396 wrote to memory of 2992	2396	ghost.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ab9d49617985434f8d96618d4e757fc0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab9d49617985434f8d96618d4e757fc0_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNDEL.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2768

C:\Program Files\Outlook Express\ghost.exe
"C:\Program Files\Outlook Express\ghost.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    PID:2788
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Outlook Express\ghost.exe

Filesize
302KB

MD5
ab9d49617985434f8d96618d4e757fc0

SHA1
8c80a5a0516e0140bb12e3f6f8e18bfd10a1caf8

SHA256
2e0aea3a2571be8e14f141fcc9d33e65b529adc796ddf786b79513ff293f6299

SHA512
65527351a28c487bd30aca8972db01afd3f3e87804f19fbad838ed52446185e039ccb30154955532e980a49fc012a0b7fe0103fda4ee6cb656a6718077ae6026

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
21cd8dcf593d6775889de9e95bf6a262

SHA1
b9db57cd49618b9a8fa9f3a7978d78270b4c74e2

SHA256
c968c015658ee743e78d41b3e200ba30cf4049c71a4611059194a264c2c0baa4

SHA512
6f9d5580499d7b950d080f9f033eb6231924c8b726c1adc7cbe21940f3e5642f01229d1bde0b5b1a2e87f8ff75983d78efd3e2a8a17add6d3b120a07514497f4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
351edce4547c6ef613b467d50ef1b3f5

SHA1
cb231ba530698a2e040d3f8e57da5634d8eb5229

SHA256
2d7cab7013e53642ffd1d5d913e9dd1b69ecbc491a0f623c290d959231f8ebcc

SHA512
6621b3b254d5099144df9600658fb33bbd12a421b31f83d2b42f92ad3fd01c19147b029c40d4955b166529a75f7f5e5f172f7ac1d91001eadfd66bb64bbbfca8

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b36b73f2e0c53edee76c2ac5d346f4e

SHA1
618470e7456b27ba59172afeaa15e72d9ecd48a1

SHA256
2f1856575913fdc7f6b5e127cbee5d867265c09259624d1925303c20b6acc2e0

SHA512
f9cc1169f6390d29cf9d5489d037bc1739263632f19442fe9e097a7058ca89c75dc9195e700fe5babc333927f6d1f2cac54c7c06380b7b74f48455aabdccf22c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a923f4574ad204c2e48b52af96da9db

SHA1
a034afce784043728776acc9d2b0e2990709c3fd

SHA256
8aa7537c1526519d0f3150121de2a70dc7dea4327da93ed815dc0d79aa99b054

SHA512
9afd138ee6e228b71fd607df30d2a5c223cfba0db9d2dc4fa8959e1dea84ff24f90a0f738d16679824513182422515e64801d4a25f5f32c75f26984f70016139

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d05c2f37a2ef9d9ed31a6d21a03672be

SHA1
5dbe0aa030506fc0c18526c6eec82ae62f57582e

SHA256
cc8fe8be38c5a045aa8d4c2bd44cbadb1ca2b2203a6838423a1761c8899d804c

SHA512
0e07f0a686c4289ef33cefd7ba2cf499a592b1e0df36886c319906ea7d9f87d2f892670129a0c198f592bf89a9ab253d3fd608a9c2052818ce269a06b7ee60f3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b692553c369511da99bcedf53c94ed35

SHA1
969242e415ca65fda1d55d7d63d691f900cae014

SHA256
72834413534403a18c22258cc0f2fe09060f6428775496a19aad7f3abb8bc3c3

SHA512
dfe386052f8130937cd532fc629fbf172a799ef901e3afef88ec532497c7adadaefe16671dd31a9433416a779e7c813958b7455eb0b59e1240671ca9e1542745

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79d381c3bebaecfd313b2abe62d39e35

SHA1
6f1cde194b1f065c9d1f3f69ea21b0cc09ef108a

SHA256
b96934ec21ae0a84ca263034845178ca2891023bb56d33e32c4ccc89044a3ca1

SHA512
9b37e72c03c8ed99fd81f8e5afd00ccf29c4d8a92c7e88fe6dbf2649f7b47b14cf86700c5c780cd4de4aab2e656a157ee2df2f7c57b6e8e8d9f12dd7844a03a4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd2ef70370ebe6efcd9866c8d4d9ce3f

SHA1
f668c984ef8b4e2b4b90ef64716b6e9e7e5b6954

SHA256
1423ec032059eefc022634e4cbf7ced55d3c9619277b139ab071f6475027b66f

SHA512
a85b84eed8657c6de2d1574a5f7c895da06ee300f3e76e0555e6313ceeb07bac8a07d4f27d3eb7caa04f3602448f87b75a81f79036b9c24f7a7248fc7e08689d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3ecb2f4f786e6d9ef8738824d1d4e84

SHA1
1be0ffb52c43761feea48264f26fbd3acefb2217

SHA256
e6a7837864c21b8f53b9ba7109987dbeb17f9b8b2d3114f1e0f1b105563d39e8

SHA512
1ea9b60175376cf39f6e632dd33884693f532c8ce2e652d270fcfa3641683051a3fe6fbf58379c34ed876e59f6f4b39e4f8f1e9a993ac23011b99151c5a486da

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69b2962eaf7ecb6c6ace47e9ef00e0f0

SHA1
7006b150a3111f917fd023085ef11d7455a5a15c

SHA256
a38832f7831dbd63853ef02d75acc759803343910e6d7858a2a5f64ea36abefe

SHA512
214e7b91e34fbe3903034d583c0c43a677195d45fbbc1d1fae6127c990b002376673df22841fb21921b7511c27a8d449de4bf2c8a3e7ab81ba01437df918f286

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c83af4059ad2c8612873caa8e58ed34

SHA1
69de9af73fc3a9a7708ad67c2e9cf17e3a562e64

SHA256
49a7711e3b5e31cc239ed0e03df0856fa860c4946a21c81fba97175aca075c39

SHA512
4400488c495a079ad9e78843df08973a170423cd677e4f98a9304ac9784677c1972e7d1b10d3df87efd18da268de41ab7916c7695af4604818971c2f3a3e84eb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfe73b9becda3bdeea349544849a6a2a

SHA1
2aa4c85eabf46917c25f872891ff6353c054fa06

SHA256
92a8cc4080750fabb4461e79f7d134a203aae63c57b5baa19202bbbb452d2f27

SHA512
9586f7696e68558466741778656dfd47a4b42f2e8943928ce966340f973bda7db3acfadb0d9a83086f6134c4049f9aa30f1bbde352be360598bcd244c565558d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
897e94ec48a35f7ee008e3bbe6b5fff9

SHA1
1266ab0aec1d35f29dc66feaedf2c87d6560469b

SHA256
6e35c66bd45c4c72694f31df7237ae611c3d49844a94c3688f6cd2bc6073fe1a

SHA512
92549bbfc708e559e112de26a94dbf48849076e5a05f69b5a840a5490f60b2d734ba61ecd010fb6da67fe289f6efa9cef6ff8d10cd0553df8848ce0d8339c963

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f8dd5a5936ccd38b89f822dc3587304

SHA1
c694c2a94deb1a7e97e83e7f1e5c4dda26f06e70

SHA256
7b7a5198a03a55c3a9ee9603813986f5e362d84a3ed355ac065ba8978b605fe0

SHA512
33ac21bde9fe9663e396d7b8d339909573832e4a39d1db170107802f3cd1d724864446509c99c106045446d78ed0324f6e5e2eb1a33d53cac683a64733f086be

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1bf56129742dbf810de86e2b0e1f3bf

SHA1
80a734bb064934a9e35a3a9f0f9bd8f6d895c547

SHA256
3f5f7aeb829d09196640271a253b7024d27669ff77a6e65aa360831e9a98592f

SHA512
ce57ae8d50b4217d9841d08b21e4d762c468102258814e21d192a574e5f962d8eb8ab16d698015c26c0c6d7b34cc3b51d0bf69ff989cb7788498331d5c5c2de1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b78eeacd75cb4e532930188156b9257

SHA1
d896d6ab226d94acd080db4c7f06b33fcac21833

SHA256
12479aef6ed899eb0f9d55cf0e8f147197aa0c047466028f95dad9a6fdfa6ff5

SHA512
a6511abf996a6dd9bca980b3c5db1e00442a67a195f74961de6639844485f00b109cf375048c4ed22875ee0990de3976d50f52ff35b0c4d033153ce47dbb21d3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20f210f5e171be8bd106f7e140e600ca

SHA1
7c47eed2ed2dad52081754a6d628d5a75b7d5225

SHA256
831cba2d671994c4afa8afb76c25b7ab1d2857a0c03cd8a68290271071d5dc1e

SHA512
8b2ecddc69138ef39484fd4b47ac63f0be9996fb1f8c3b88b3fc71138cfa99da03783e81c60e48fda5591a22e31169db2e4f6cd37f208d53df130a2746d8920d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8910375e9d25838c4b36cfb6fec88278

SHA1
21256f76d67e1fc3f35a92bf73308fb7b7626180

SHA256
80390e9844adeb04b6c7e5d45cbe59a56a6b007cf5866a52e1b8e1e00b937c72

SHA512
8c71e07c1e85d550ba8e68d9128605d29d81474d31fbe5d8a481387e2d228a1252253666d135df87edb40a50d4da656416e83421c6fc020a7099c27c8d84fc77

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5fd7721854fefeed466e76266eae798

SHA1
a0c8b0877acd8de69d7e9bc61d53a971f284a2a7

SHA256
89b90378c87354a1cc82889e99d3a099a37146893f018d120621558e470e759b

SHA512
a9ef67f11b7ea58930731da4892b2f02d48d815cbe8532f24d619c6ff363297773f5605213bef0fe0007989fc8b2ff22abe05aa27863aecccbf32669cd6369ad

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8d85423ee6114c68b54a8c42f48c50b6

SHA1
d061d867c3365de85a52a592dfc0270e6d6f5399

SHA256
8ba62a05d1ff71ea16958bf2cb010193c23ecd81172517c7b845bd69d52c5c0e

SHA512
ebd67a3edb5ec1f000ea8d517ece3940b300e6a60105a1aeadc2a2d052a0c72629e60083db48305c9a4b6a3363a46fa0657168cc507327c7d4545f20876aba9c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabA308.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarA30B.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarB174.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\www96D3.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www96D4.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\UNDEL.BAT

Filesize
218B

MD5
c24252d64f7c088ec0830a33dadb2ac8

SHA1
d7e7015f45d2a071aa9ce97862e96ca4d38d0549

SHA256
17ef9715bfc4ca44a37c910f1ca9e639109a8d6947560a3dd97bed8b728ffae0

SHA512
4be4172ef4c4d34bf795ba692382f01efafec042b09a707e24415d3117aac2f662df9b2552e287792f8dfaa3a22e4ce933541291ed8cf4e624cd742eaa478239

Download Submit
memory/2396-148-0x0000000013140000-0x00000000131E4019-memory.dmp

Filesize
656KB

Download
memory/2396-5-0x0000000013140000-0x00000000131E4019-memory.dmp

Filesize
656KB

Download
memory/2396-6-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3068-0-0x0000000013140000-0x00000000131E4019-memory.dmp

Filesize
656KB

Download
memory/3068-16-0x0000000013140000-0x00000000131E4019-memory.dmp

Filesize
656KB

Download
memory/3068-3-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download