7a36aa773c6612002c780a03dc29b07967b5812200a8d03b5833400b46156255

Analysis

max time kernel
142s
max time network
131s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b508641d3a1e4899b2e9921650bdb7ac_JaffaCakes118.exe
Size

322KB
MD5

b508641d3a1e4899b2e9921650bdb7ac
SHA1

50a88ee91fd84a1fe37d3611a1426e123f92063f
SHA256

7a36aa773c6612002c780a03dc29b07967b5812200a8d03b5833400b46156255
SHA512

7331e326762753bffddcaeeedd5a36fda2bfe3db8b7d0e8ebd9f0b210efc3487b33aa5c67ef9c9904a6e5e307345768b276222a805ee13a929d59a21dbab3723
SSDEEP

6144:EMHkQTtvqwhG0Y0yk9RS4YVxfbXF4rH/1thrBEuZl:EMEeCiLYDoYI7N

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1248	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2392	G_S7.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B0CCC8E3-6000-11EF-9988-DE81EF03C4D2}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0CCC8E1-6000-11EF-9988-DE81EF03C4D2}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B0CCC8E1-6000-11EF-9988-DE81EF03C4D2}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{B0CCC8EC-6000-11EF-9988-DE81EF03C4D2}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\G_S7.exe	b508641d3a1e4899b2e9921650bdb7ac_JaffaCakes118.exe
File opened for modification	C:\Windows\G_S7.exe	b508641d3a1e4899b2e9921650bdb7ac_JaffaCakes118.exe
File created	C:\Windows\G_S7.DLL	G_S7.exe
File created	C:\Windows\UNDEL.BAT	b508641d3a1e4899b2e9921650bdb7ac_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	G_S7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b508641d3a1e4899b2e9921650bdb7ac_JaffaCakes118.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\HaveCreatedQuickLaunchItems = "1"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Connection Wizard\Completed = 01000000	G_S7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	ie4uinit.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\LowCache	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7FBC9FC7-3A7B-4FD0-967A-982E10960249}\0e-34-32-e1-68-69	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-34-32-e1-68-69\WpadDecision = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\VerCache = 0086a9a807ccca010086a9a807ccca01000000009093660000000e00e803991200000e000000991209040000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e8070800030015001500020024006402	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\BrowserEmulation\TLDUpdates = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e8070800030015001500020024006402	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e807080003001500150002002a00f400	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Feeds\SyncTask = "User_Feed_Synchronization-{478F1EAB-CADF-4DBB-BFDE-0814931DCD9F}"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-34-32-e1-68-69\WpadDecisionTime = a0e4e6740df4da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = a0fd56730df4da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e807080003001500150002002a00f400	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7FBC9FC7-3A7B-4FD0-967A-982E10960249}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\DiscardLoadTimes = e02f3f730df4da01	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Time = e807080003001500150002002a00f400	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\LoadTimeArray = 00000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7FBC9FC7-3A7B-4FD0-967A-982E10960249}\WpadDecisionTime = a0e4e6740df4da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3052	IEXPLORE.EXE
3052	IEXPLORE.EXE
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE
2392	G_S7.exe
2392	G_S7.exe
2744	IEXPLORE.EXE
2744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 3052	2392	G_S7.exe	31
PID 2392 wrote to memory of 3052	2392	G_S7.exe	31
PID 2392 wrote to memory of 3052	2392	G_S7.exe	31
PID 2392 wrote to memory of 3052	2392	G_S7.exe	31
PID 2536 wrote to memory of 1248	2536	b508641d3a1e4899b2e9921650bdb7ac_JaffaCakes118.exe	32
PID 2536 wrote to memory of 1248	2536	b508641d3a1e4899b2e9921650bdb7ac_JaffaCakes118.exe	32
PID 2536 wrote to memory of 1248	2536	b508641d3a1e4899b2e9921650bdb7ac_JaffaCakes118.exe	32
PID 2536 wrote to memory of 1248	2536	b508641d3a1e4899b2e9921650bdb7ac_JaffaCakes118.exe	32
PID 3052 wrote to memory of 2688	3052	IEXPLORE.EXE	33
PID 3052 wrote to memory of 2688	3052	IEXPLORE.EXE	33
PID 3052 wrote to memory of 2688	3052	IEXPLORE.EXE	33
PID 3052 wrote to memory of 2744	3052	IEXPLORE.EXE	35
PID 3052 wrote to memory of 2744	3052	IEXPLORE.EXE	35
PID 3052 wrote to memory of 2744	3052	IEXPLORE.EXE	35
PID 3052 wrote to memory of 2744	3052	IEXPLORE.EXE	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b508641d3a1e4899b2e9921650bdb7ac_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b508641d3a1e4899b2e9921650bdb7ac_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\UNDEL.BAT
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1248

C:\Windows\G_S7.exe
C:\Windows\G_S7.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2688
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3052 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\G_S7.DLL

Filesize
277KB

MD5
d1c65ccb97ce038f1fe6d48cf8b40b43

SHA1
ddac38ae660fa7ba7c48efaf7f96c56cf87b97d0

SHA256
ba8f1fc022350dbcbd06ae62213056a407c2100d5539afb64ada25da453b0e2e

SHA512
6c2c62c858451e6d396f1f60e375c1b0a19d6dd44bf86ee4e980d366266e6076b6830b44112e2049456fff1150a1c8d88c46463465e6108347a4f567fa6890dd

Download Submit
C:\Windows\G_S7.exe

Filesize
322KB

MD5
b508641d3a1e4899b2e9921650bdb7ac

SHA1
50a88ee91fd84a1fe37d3611a1426e123f92063f

SHA256
7a36aa773c6612002c780a03dc29b07967b5812200a8d03b5833400b46156255

SHA512
7331e326762753bffddcaeeedd5a36fda2bfe3db8b7d0e8ebd9f0b210efc3487b33aa5c67ef9c9904a6e5e307345768b276222a805ee13a929d59a21dbab3723

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
553c375e7ad0e6eb4da5e3ccf8d21158

SHA1
c810c3a5201e95a8dad51d213730fb63982947c8

SHA256
65580c0a03c1a2f9ac0f158e344e17f968e5825c7b791eaba6bc6026291ca80d

SHA512
4360e6312e9102b4d18edd4ae9417aa98c4b3064880ce602beba1896df0e213d0ac5fbcf30a0632cb650f39b9a80f85475ed161fdfc4e21204269c3fd76d40e1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d72f62b31abc99edafbe5e22cc7fb82

SHA1
0e487698f1e1dea013d07728a805b9a45d2bc87d

SHA256
bccb6cd2a37ca763a6a86294ee1518a164e9db069a87f049ed3275a7285752b5

SHA512
04d57e41fac926410bdb761d9b43da0dbac7c62b8430734f7ac9da7e60554ff9a16fcacd30bce039e1843a7154da2fb65b698ebea4ba24bfefc11963eddd88f6

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7733cb92f4564abea5cb8e45b70eff5

SHA1
8e0c0ed3344f4d782b3f87816f445738f771a89e

SHA256
cd3508e28e507330121484eaad0a678ded1807fed4e14625e155055be6860151

SHA512
31105bce9299ad7e14706478ec53030b9553ff6db9159c7ea7e02276ad0dca00a428f7e3af91975713df48153e58985ea5a17559ab6a9f5a4c232b62e5e8b810

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93b1be0f8d2ece2434b8f2050040d706

SHA1
5951e9887f463f352a79d6ee9767ccc993fd8e22

SHA256
a68028ac2e734cf0db79f7870d58fdd2affe9b12afc917a57da7583c4b03de52

SHA512
c3257abc5b68df53a9a873b4541a1268e2526ce3629e90f4e0897c29e9d92039e216733315987217fa2d3b37f8954cb17fae62184e08b4707c7b75f0925e024d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c795e7e4734247e1b83f5eac2f008198

SHA1
7419d7ad1988a29956d67b0213ffe8adb5257878

SHA256
6e505e61844d946d9888dbb974e70b8c4005df901407057e01ce6b13cf1b8fe6

SHA512
32e41d84b52da71e42476a1565a5c39b922d2ad7fcbae643cdfd5b0b57f29e65efb537902821ec237158f1feb66cd52c030c18739dabb0beb21afde8b37d87aa

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0dd1372dca93f301bdcb488bf72eb791

SHA1
8d44fab274ba7d3cab9e9004556b8813b7a71614

SHA256
1f3fc40fe715fc20ee2a74a8f968cac8e49991734d9078e01aa67595a5ae59a5

SHA512
68e9d112cf917421f0625a33cda02f4ff07a3208fc7390b198158e13bb5df9b74fe3a51be8b18c5637cdcacd2a29a42aaef642eb3eb5eb5a546531431be81975

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a445d7b306058d6e684b2ba373a5fb82

SHA1
bbfd83e0bd6240bf45608fb5c2577fc7c3e6466a

SHA256
5fc3372b8e0661c3acefc9c9ca081936adca62e34a92a72dad4b0df9aec6987d

SHA512
7c93a68dbad8d0a3f8f2867e9067ab5ef394499cdf49418fda464562fc9b2667ca552bc33e57f709a4359e10e058d7265961d5845036d29d1cbf3dad8bcb36c9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
608299cdab9fc4ded1db16062279bd40

SHA1
c918fb2c006321337210a6fe9549d40d3811236d

SHA256
02fd6919e03da09e7f52e02ebb032b5616cc765e1f55929eee0273939fe2620d

SHA512
8d18eb5584da70437ba1d3d58abd80a361da6775a35c7c7d10ae831d4f135ebb1f81a2baa3d2276ea431efcb8b6b2669e6c00eb37a8aa8dee4eeccbac6a9348d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2e39009edf1eb193bfbf016715994a6

SHA1
406315a7084184926991e5dd377d7e2673e28473

SHA256
8e7462cc0a3fdfda76126126e26e70dbc102469a8df59c46c29b5fa67c2a9cba

SHA512
197e3ec6983474624bb753dabe080ab4a560097bbcfd6344b6dd01b714a566ae2afbc689bae26fd5ed6ed6dea284ca8f3b0a7ed881bc679c5367391faf546ae2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fe6ee35d678b17b018c533444a97586

SHA1
9c80f771f0b11720706febbf60e67f6db1c5de08

SHA256
eb8f81b55025b5214e349e25ed9a48fd5002a91231126886b41e002a3d67b7eb

SHA512
81dd4c8c7d6e7c611b1ca00399223e8984e6a07e893da8745a361b819164239aee6f3df31fa06b70f113f06b8c0fc1554766c6eb604998c1a9d4d287cd6e773c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e06de3df12a47e7c538afdcf80d47884

SHA1
2834e208d43ed22934a622f4c7a884f1479d9881

SHA256
1302e5610c1721af053de4a4916839501be5496842f9af46757ad3edf0d77cf9

SHA512
8b03899a63f5054cfd5e269a267d505f403386e30a891087908ab56451dbac9dfda23627c753af3f85e67929c47467b12df6cfd85c6f5596eb19d8e52e485acc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78d227c15f698040b823121cf4a1201b

SHA1
9341c1652595ebe44a817c1269b317e7087ab61d

SHA256
aa4efac7fae12fb01434903bbfff141dd27b38d3e6ec0abaf285757e0e0784f3

SHA512
04c6c48c86e08ea76682fcc3c9e1601e74e76aaf857df13b1319eaadae0ac6c763024e051b915996de2bca7a13c97fe44cf01e9e2c90bb44d6377d70ea46a1a7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c03e01e9da67d3a208b227d9923b6455

SHA1
6d3d6796307b2af958d9a9fb674b200ddc120464

SHA256
db7b0a952984adbc8c1706396afda68839fab5f29b5ed6664b63fcf04019c0ae

SHA512
5c4afdbdcf1a28d5a3c97d95ec0693059e9059796c3ea427190b0ff9143830ab28d550346b615d04c7a22cd31d292b81fda9d3031df162171ca23abb996a047b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb8166145e0cc8243baefa6a841d35b4

SHA1
8d8af198ac6f1e43f67cd807c451ad898811825d

SHA256
dc7e484e2ea48742196baf06cc7138118d554a7c8d57955c8c938602bfe8f2e0

SHA512
866b7878297e10f93389631a0c36c16253ecaca4e0646e4a93874c80482b1bb7369bd5cc2305f04529bd5c78d8ec24af268d7b9e0675efc3113124f36c250089

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
203c58761d4befc4e2d371c4e4b42566

SHA1
926df36e3284cbc40a916cc56f06318fad8ea8ea

SHA256
3605e7dcbfb6b5445fbe0a668c76732a4cbd2023a6e7e6d5b463aa36bf320ba4

SHA512
45bf00437afb87bf871c98c5dbabd8f23e90ed7056c2977401131d582fd993ebd9af18e96c8371daa3c73cfef05bced83cef2bb5c14c85502d55cc65fa61b2a9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68b4cd3f7e66c130588478aed4f39b20

SHA1
03dfec4fe48cbf0d7e314713a69410e41ea7934a

SHA256
f68ce2a63d958d5b7b3353718ad70523edc85c11f6632927f2677245db57057f

SHA512
4e0bb0714d790e0af8e806270f52b328d4b341568c9c64b78f25de14c55d3b397a81fe1054331f8648d2d77c29e4df001bfeebf5e56e16bd1881b0478606f211

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f035892270db3a72bc9184c2e32ebcb

SHA1
b44eb7589744df3b39c0a87cb491f9e2b545cd25

SHA256
e035b2c29bb42b2dc47229355389cdf55b3fa9ae632fcf62c6bd519b51666024

SHA512
37b616036270f951e6fb79a54c3674bcf4d7ec656596bbf51c5e4c0a910f5653607a8fde348c3a7875bb31a5bfa17ccbd4bbef533253ca6c107d76c11e2674bb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72f4cfb8e1d9442f65bbac3c30f1f18e

SHA1
afcf08b57e13b33f02613858fc395399955974ea

SHA256
1f960fc45980a5633d25e4ec8852d9e76c13f85195ed2b6868fe42073fbc7e25

SHA512
130a947a0a8f417382cd0fc1faaa8567a15620d7ef2e7748df9d31b21be6a385ed843ee41ac13b153a862c0d5ce33cbb02a3589f2a3edb1d24b30ba8e0323a3f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b45a92ebd99cec1e423acfbee603e5d

SHA1
73f58a07425f10f10df39c10fd96b755d5b16aad

SHA256
9f89ffc6e5f2c4fd5f1ed3670181c30739376603157a441cb95be5398d11a503

SHA512
1cdcdecc7c78f3fac6821b170646a3e62920b7ba620a68dc82d375647926f13272b59525140b954af61430601fa440bb87a9199a531ff2cad4334e290ad20f3a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
607cc39cc076f47f31ebc2105f5f036c

SHA1
5f81b6a4ae7ace5849bf84ce6ed5159765802b14

SHA256
d323ed696643a7eadd86d59871ac2df6ab1bcae4cded20e93699a18aa09e27a0

SHA512
d2f5ebc59b3101a2c128f743c68cb3d79fb13efedd4e25dbef7734fc07a473018263c44a930e878d7f8969f50962963cb0145dea637ce512ebc042f6a2367862

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabD09F.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarD0A0.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarD289.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwC4A7.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\UNDEL.BAT

Filesize
218B

MD5
b2a7ab0301b41b1523f152dd66d2dd97

SHA1
f4fa02ecc77245bc2d8f51767fe97d055f4d74d6

SHA256
cb944aa92a75f18908b7de470a521fe8017da6db3eb9aefd0f0a458db3614508

SHA512
54bb66abd866f225f463a38f0ff3b5a5a73ac2d62f0a33ff5d54f9e6aace072af0fed9cafad73b8ff980757ead96c402ab48a2228eeefa2b567de65917c20990

Download Submit
memory/2392-702-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2392-566-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2392-553-0x0000000002200000-0x0000000002332000-memory.dmp

Filesize
1.2MB

Download
memory/2392-701-0x0000000002200000-0x0000000002332000-memory.dmp

Filesize
1.2MB

Download
memory/2392-700-0x0000000000400000-0x000000000046001C-memory.dmp

Filesize
384KB

Download
memory/2392-579-0x0000000077D1F000-0x0000000077D20000-memory.dmp

Filesize
4KB

Download
memory/2392-578-0x0000000077D1F000-0x0000000077D20000-memory.dmp

Filesize
4KB

Download
memory/2536-10-0x0000000000400000-0x000000000046001C-memory.dmp

Filesize
384KB

Download