d6ca0b179310f00c0dc02564c8e893103e0c50c69de0a6175e5ebb85c3b3df66

Analysis

max time kernel
142s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 10:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aed3805c49a7f790fd9ebe9b49400322_JaffaCakes118.exe
Size

642KB
MD5

aed3805c49a7f790fd9ebe9b49400322
SHA1

604fed59c88a3cfc212ebb37c66aebb3196ed560
SHA256

d6ca0b179310f00c0dc02564c8e893103e0c50c69de0a6175e5ebb85c3b3df66
SHA512

1952dc925e3604a2b82c2a2ec3e2561ba48382d1e55747e83e1d34a0c3c0248c8a202a2f332c7bdf2616a132ff321191c939d0b928b3b02d86dbe30b3f940a04
SSDEEP

12288:TDJPQCgrPN2FpFlTZVWqR7BdIF3Z4mxxQX3blFLmVwVGMb5YQ2A:vJPrg4XrqQmXQXL6Vww8H

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2044	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1192	Utility.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B0467E1-5EDC-11EF-B586-DECC44E0FF92}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B0467E3-5EDC-11EF-B586-DECC44E0FF92}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9B0467EC-5EDC-11EF-B586-DECC44E0FF92}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B0467E1-5EDC-11EF-B586-DECC44E0FF92}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Utility.exe	aed3805c49a7f790fd9ebe9b49400322_JaffaCakes118.exe
File opened for modification	C:\Windows\Utility.exe	aed3805c49a7f790fd9ebe9b49400322_JaffaCakes118.exe
File created	C:\Windows\Mangerr.DLL	Utility.exe
File created	C:\Windows\RAV2007.BAT	aed3805c49a7f790fd9ebe9b49400322_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Utility.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aed3805c49a7f790fd9ebe9b49400322_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURLFallback = "http://www.bing.com/favicon.ico"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName = "Bing"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	Utility.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070800020014000a000b0032009d0002000000e11a542af65b6546a8a3cfa9672e4291644ea2ef78b0d01189e400c04fc9e26e	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-aa-dc-9a-9a-17\WpadDecision = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e8070800020014000a000b003500d00100000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-aa-dc-9a-9a-17\WpadDecisionTime = e0ec655fe9f2da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Count = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet."	ie4uinit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9B0467E1-5EDC-11EF-B586-DECC44E0FF92} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0077000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{DFFACDC5-679F-4156-8947-C5C76BC0B67F} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000808ead5de9f2da01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites\DataStreamEnabledState = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 0014b75de9f2da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = 606aa65de9f2da01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Count = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070800020014000a000b0034009603	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Count = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070800020014000a000b002f001f01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\MAO Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	Utility.exe
Token: SeDebugPrivilege	2836	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
1192	Utility.exe
1192	Utility.exe
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 3024	1192	Utility.exe	31
PID 1192 wrote to memory of 3024	1192	Utility.exe	31
PID 1192 wrote to memory of 3024	1192	Utility.exe	31
PID 1192 wrote to memory of 3024	1192	Utility.exe	31
PID 2716 wrote to memory of 2044	2716	aed3805c49a7f790fd9ebe9b49400322_JaffaCakes118.exe	32
PID 2716 wrote to memory of 2044	2716	aed3805c49a7f790fd9ebe9b49400322_JaffaCakes118.exe	32
PID 2716 wrote to memory of 2044	2716	aed3805c49a7f790fd9ebe9b49400322_JaffaCakes118.exe	32
PID 2716 wrote to memory of 2044	2716	aed3805c49a7f790fd9ebe9b49400322_JaffaCakes118.exe	32
PID 3024 wrote to memory of 2368	3024	IEXPLORE.EXE	33
PID 3024 wrote to memory of 2368	3024	IEXPLORE.EXE	33
PID 3024 wrote to memory of 2368	3024	IEXPLORE.EXE	33
PID 3024 wrote to memory of 2836	3024	IEXPLORE.EXE	35
PID 3024 wrote to memory of 2836	3024	IEXPLORE.EXE	35
PID 3024 wrote to memory of 2836	3024	IEXPLORE.EXE	35
PID 3024 wrote to memory of 2836	3024	IEXPLORE.EXE	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\aed3805c49a7f790fd9ebe9b49400322_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aed3805c49a7f790fd9ebe9b49400322_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\RAV2007.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2044

C:\Windows\Utility.exe
C:\Windows\Utility.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2368
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Mangerr.DLL

Filesize
577KB

MD5
a568f61f93e49edb965e84c5d6815d32

SHA1
191a72977a7bc27c0fe241761a1cfdba9a40d67c

SHA256
98ee12a87cca6af453b35623372190fb5f2628e07ea267b4c6f2a4c0ec04bdf3

SHA512
81340c74dba845b3278172585e12b7fc39bb2dd32f6737c00428f99b85962d42e6c007cde84c8dfd4128e7590e76b5afdfa78711a6b80836b12c92669225dfbd

Download Submit
C:\Windows\RAV2007.BAT

Filesize
218B

MD5
95100bcced3beb0a815154a3bca78125

SHA1
cd75481289fe9579f8aeb77c72534327ff3f9edf

SHA256
559d24b4937f18e5c4b237f26f423eed4cfa3f77fdb395900065ea9a581e7e45

SHA512
1294ee9128c1ebf6179f2e705be8a1e4d0eb3924de1d21223726b6921f541d9b86c5c2e9f0d420e812fe869af156494dabdb827f71cb987ba02f634a4e071899

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e1e5afbe47fff9869964a538a5b419a2

SHA1
ae2858f43473e86525503c45c74259edeaa9db96

SHA256
731c004e5a1500fe459d9d761cf428af18293f1843e44f7bdf875209973be8c6

SHA512
a3a8af94a4705415f43358669f635803c9b950ca0d54c1141cdcf232817e55d7f6f0e10f433d0626e8f1072a14679e52f3a2fb941daecd15dd231bd240d39346

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccdbcade71d3fec0184d849886450ac1

SHA1
5fc6dcef2ee0ae69f5705ab94931f7717ae246d9

SHA256
30210129747388b3565fbdf624e906ef4a71d69abd277190cf115aa033295f89

SHA512
5ff8869e1bc8e1ca7b21694e6cd9f8d8983b23ce781b4104869a699f88bebc7ba4360cc8abe03b7d127b6dc3de2a36f755652e770b3afb6d98ace735a4154e5e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f2e28ec02acc21ffeafe61f87e7c0db

SHA1
5a151956a258f75a7d7a964e3ffec1cfea045607

SHA256
4bf19cc59e14790a6761f468d99820a19a7b1dac52d0bacf9f7fb0904652a7ec

SHA512
9c31412f55e382872d7fd9d3b6fa7f597bd944f611f0ae9ba42725fb8542692a20c251b3e3a93f83d17a8e1a4064c43454ca9cc87fc24dc40b5fb1510e33b1a9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e268836f7ddbf05909cfc6e43456842

SHA1
25dd51ffc7e22fe73a82be3420413a8273a2c7ea

SHA256
818f158db30d93adee44dbc01df23fcbc3e89862336527ad6e7736a07750f784

SHA512
084e5c5eb566835c3933b8f26c529e79dfc58e787b78d867376a2f20188107566150fd85c5e25316393d0ae38fc6bba08f8d0c275cc113850b216a925c21f057

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0609e570e518bba12577ce6718ab53e

SHA1
382bff2c6fd5d61a7fa5494496bdf5421df387a0

SHA256
4e960b5b58bd9b78281d91c2c77d1e05ded1245d031670695348bf43c2bf1aaf

SHA512
fb8e66115b42556999cfe804b99f1a15e8fe9e3adbbabb910ef989839381ae62e1b2cf6f0c4d9073bdedaa0fe2bb39df65e0e75305e44d4e79e502d81baca65b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cb442a13460d254566ef8985ccb9446

SHA1
d0a4a126fcfc304a736f44c0c0284cad372c7b0f

SHA256
29c4aafc564ba123c223a9901b1657dde15f5a5ecf32b9949cfed1d392e33b7a

SHA512
07ef7f16e50719c71a52141737301bdc3653993bd7b1d60c39773b11acb51ee29432e3c1e6144b8fc753a089696bb760252c6aa4ed6559b90fae11c18c3fb210

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df6bf212d1dcc253638af7164aa8e523

SHA1
32c62fcf4e95f5ab169587fc73105a03ea680f79

SHA256
ffe4ac3a05ad318ef7541f690bf7ef9a0eceae59ede43de16b65eb4080f88ffa

SHA512
8ac4ad610b7a444ebb6f06c735a10af234f44d10b1049fe34949876dcadc7609225b6cd3c8cd5e90b7a04d7a08efc621f8e5ec54d87602490a979cc93cb5e793

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b01f41134558419855b93cbeab59e92

SHA1
76e47193aacb5bf99b44440c6d1f70ba3e0dd2e7

SHA256
0e3a1352b17887c79e2e900d653782f2fa178ac01872c4b2b45d596013ffd4cd

SHA512
00bfa89c4e74b7bd6e431faa045691d1862ffcb1f63558b9a51e803b24edbc4a695eaa6d4d055c62b68b71aa743878d0b80c910690d6819836b4bf48e23cc167

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4338829c768953a624866165e1e2fa05

SHA1
d3457c8b0fd0b13e6e135f77d8df41ffe80504a9

SHA256
32d1977fd9ae42418de7c1eea72244801588e8c90fbde240877c18bd0be97529

SHA512
1a631d3d0916ff5761fdc2727fa1185de4b87df61a8fffa83c589908b019b56f9127908f8676686f5a3dbfaa93a140e9203b131595cba40aa1847bf6f9a93c1e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d2492efc71194925cefe9253cb18096

SHA1
9bf18ef40b4928fe6d28d1858f815eb763f525cf

SHA256
a18f1acc81892e6dfd3d61cab9b24a0551b3a9895cb146ecb985c6ed606a66dd

SHA512
03731806110cc950d4478c3496c8ae3149662a01aa7694e63e4e63981bd122bd6cf1e34bcbf1b8eedc985817b9ab7aed60151ff1162a83acaffc2760d5326d6d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8edcfcf2872d4759c388cf1a71a9f786

SHA1
7e116d935ff265741e90da68701d257813bacd41

SHA256
befb9eb2ecf8f51dedc2440415954e5f1c1ae638d4d0ca6bea3e3525e2741b40

SHA512
ec7ccef8a0b91a4bfac51a3867b7f779fad45abdc5aafa7cab0fb470e5e8578451fb83a796066686f81637f162eed7a9c04c59764e3fb7c00e7bb3cfda87d977

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9a7c2d31e1625d32dd6d65fa46368d2

SHA1
c0363d06a5adcdd3c93485664ff874b1f8bb606c

SHA256
4a5ed6da8861f684689f5fae381fcef5812bc617770469d9e3a51a091bba05fe

SHA512
601b3e2cb837047f06714338a4dc63ec67bd0078cc7217b93e5e0bcc48904bf8a74cff6b067a94cdf484bb6a793556695fa74dbc8a888dffddfff5d8201b00e1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4967cdb200a057cb7c5399a7d4562f55

SHA1
faa6b94864ad76c1bbc95ffbef8243cc9fb53be5

SHA256
d199a5009e6dca23ad139c3964fcba908c202b1196173997f9a8cff92676e8ff

SHA512
723a025bd10d3c6b1c1d86fd67adf3fc986caef925bd1d318c5773ec1472ead3bbc7a5b0655262047a3ffff3d2a53e63a2fef099218f0ce00e6f28c358bb0184

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bccc566fb4e3fa0213901472370ae41a

SHA1
53276ee116556d02e3b1fa7d7f78acc5042eb591

SHA256
399993531ad2af37d36c96b1af9a30baf5769a8e833fffc1aa0013a04c0daa84

SHA512
203314b994cc51e97cad530b718d1fb419a1562c0e00b2e111ed37ebc4727ba61bb8bfd7fcab93edaa820fd391ecf3a2957ab8b3509579d6f63276207b93ad95

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06aa59b00ef8f6d812d7d52f01f7d377

SHA1
5c7e496be422af5d81ae47e5e49bdbc71f4041cc

SHA256
658c301330e131674f5004b55da4e7bfe97957635fc2c30055ffdb728897dc26

SHA512
8718619b42f91fd287eea0879239acfa2c03bd36a3aaea0305ea6b26a6909a1bcd9de74ed77b576bcd14480141574af83f814a6eb958cf75871c45444de61518

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2490bf8f1696f1e968e2af1c9136b700

SHA1
8261e287b06ea21e7887f4375de78bee54c4e9c7

SHA256
e6e0ac183b256d8d74a8532bd01bd5df57ec444b594c379ed6e03efe662fdc3c

SHA512
ad1deb394da5a3dd037efa1e2e2d55765aa9133ce5b7307ee05339dba9f78462034c193783ccea89386da2b4a7e406265a0d71b981eec29c807e199e6a3de099

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88634962f0aade3c20cc24001196a01e

SHA1
cedf84a72101d3a9c1aed2653be6846f5802a782

SHA256
905b229b3ecc134b20b67fa13b6096a88d13c8ddada2363710ed3b6290ca1c3a

SHA512
9f99c148f00f13a8fd5f1e7dea84ecaa709b776ecec53b22a310be5faaf470a126bed9c724b647e524c63033b8f56a3858dc6363fefe510fce4d54767a4ca97a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f459a11892c83cdf1ca24f3abac1eed8

SHA1
877410a3c98f8b2a27e6c1069578049b9a724414

SHA256
62e203b69e07dc82a1c2242cab4a3b007e675c030a47ec7919e32efd7061f57c

SHA512
12b0a077f0dfc094cbe446a263eceb2c1bd0ccda37535534ff4422187f7599eacb1e240d7788e36f80f6b328a65696043d2be1ecdd4a2639b22e97131b98f2c6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd75ce9f5fd64fe9279bcde6cb7eb50e

SHA1
572c76250494061013bc472bce75e25192de6d9e

SHA256
01896e9faff4c13eb16c8321af010eae74fb534fe0d66710f127c84411111845

SHA512
990d9b0a9f0790ebb5e035f32a121911290fba378413f22747f8f462f11279c63d2ac2c80aa0abdf509b803716491e369f51c7f1801d3d2814ee4befe95d2d27

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf6ce3beb3e3d4887442a7b22505257a

SHA1
a35e30ddd6935840c40d703c1e7d55eba950168b

SHA256
12052a1f4af23497b78f61208cf3a4958c783f69005a10a52ae99e7eb8678d3b

SHA512
ac517c868e2e720059fb58c9717380119fb1519a88eb730da766bc76b7d05f9af0d9cbf54f7bbfd8781c126435be1e428d138fba0a7a8cdc046f3a8070d884f7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
601542ab7980f7c3f0d7cbef344bc6ce

SHA1
17997753671e7c68c6e469956803184acdb2ee25

SHA256
bd0978954d44a3b3f60b3d842f6809037f65c59e3ad561e4e0518bd2070b964e

SHA512
9749fc234c485d9627e32aca76f649d78634e6bff6601b59d5248f16733f7cdda115ed6d4840082da68c217fd62734a27733210f1a06f529b45b7e92c928ae9c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\Cab3690.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Cab3732.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\Temp\Tar3693.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\Tar37B4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\www2BE1.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\www2BE2.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\Utility.exe

Filesize
642KB

MD5
aed3805c49a7f790fd9ebe9b49400322

SHA1
604fed59c88a3cfc212ebb37c66aebb3196ed560

SHA256
d6ca0b179310f00c0dc02564c8e893103e0c50c69de0a6175e5ebb85c3b3df66

SHA512
1952dc925e3604a2b82c2a2ec3e2561ba48382d1e55747e83e1d34a0c3c0248c8a202a2f332c7bdf2616a132ff321191c939d0b928b3b02d86dbe30b3f940a04

Download Submit
memory/1192-667-0x0000000003740000-0x00000000037D7000-memory.dmp

Filesize
604KB

Download
memory/1192-84-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1192-789-0x0000000003740000-0x00000000037D7000-memory.dmp

Filesize
604KB

Download
memory/1192-790-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2716-27-0x0000000002050000-0x0000000002051000-memory.dmp

Filesize
4KB

Download
memory/2716-39-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-77-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-76-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-75-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-73-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-72-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-71-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-70-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-69-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-68-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-79-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-80-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-74-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-94-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2716-93-0x0000000001CE0000-0x0000000001D34000-memory.dmp

Filesize
336KB

Download
memory/2716-42-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-43-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-44-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-67-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-66-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-65-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-64-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-63-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-62-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-61-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-60-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-59-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-58-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-57-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-56-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-55-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-54-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-53-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-52-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-51-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-50-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-49-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-48-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-41-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-40-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-78-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-38-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-37-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-36-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-35-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-34-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-45-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-46-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-47-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-25-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-26-0x0000000002070000-0x0000000002071000-memory.dmp

Filesize
4KB

Download
memory/2716-0-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2716-28-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/2716-29-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/2716-30-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/2716-31-0x0000000002080000-0x0000000002081000-memory.dmp

Filesize
4KB

Download
memory/2716-32-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-33-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-24-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/2716-23-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2716-22-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/2716-21-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/2716-20-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2716-19-0x0000000001D60000-0x0000000001D61000-memory.dmp

Filesize
4KB

Download
memory/2716-18-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2716-17-0x0000000001D80000-0x0000000001D81000-memory.dmp

Filesize
4KB

Download
memory/2716-16-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/2716-15-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-14-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-13-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-12-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-11-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2716-4-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2716-5-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2716-6-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2716-7-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2716-8-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/2716-10-0x0000000003260000-0x0000000003360000-memory.dmp

Filesize
1024KB

Download
memory/2716-9-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2716-3-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2716-1-0x0000000001CE0000-0x0000000001D34000-memory.dmp

Filesize
336KB

Download