98d51516af5c2ffc730163d59748eb9d85201ccebb065257ae221582e7f34e4b

Analysis

max time kernel
68s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 04:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe
Size

655KB
MD5

b6630ed311ce4607cc00e8d432a1e2e0
SHA1

4f1fc82b2e96529429d6aa3d55311cfed3eca718
SHA256

98d51516af5c2ffc730163d59748eb9d85201ccebb065257ae221582e7f34e4b
SHA512

ace7674a88960133d68ebebd617708ba4a8fe5ce54fabcd52211cec5fd6249b6935c8ff151811228f530f912596ee4db4f10b273684507e606eff6cf18c5ef7e
SSDEEP

12288:bp/StqG0AfIhdX8fr70t7QTyh8WAjKmnF3Z4mxxOo3ABt4QCdeO9:bpa0AfqB8j7I1yQmXOQut4QCde4

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2696	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2788	L_Server2007.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2314F721-6041-11EF-A2BE-5E235017FF15}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	ie4uinit.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\desktop.ini	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IECompatCache\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2314F721-6041-11EF-A2BE-5E235017FF15}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2314F72C-6041-11EF-A2BE-5E235017FF15}.dat	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk	ie4uinit.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming	IEXPLORE.EXE
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ieonline.microsoft[1]	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\DNTException\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{2314F723-6041-11EF-A2BE-5E235017FF15}.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\System32\config\systemprofile\Favorites\Links	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\Favorites\Links\Suggested Sites.url	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\favicon[1].ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	IEXPLORE.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PrivacIE\Low	IEXPLORE.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml	IEXPLORE.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\L_Server2007.exe	b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe
File opened for modification	C:\Windows\L_Server2007.exe	b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe
File created	C:\Windows\L_Server2007.DLL	L_Server2007.exe
File opened for modification	C:\Windows\L_Server2007.DLL	L_Server2007.exe
File created	C:\Windows\uninstal.bat	b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	L_Server2007.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Version = "*"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	L_Server2007.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup	ie4uinit.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e80708000400160004002b0038008800	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.bing.com/search?q={searchTerms}&src=IE-TopResult&FORM=IE11TR"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021493-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{ECD8A8C1-E138-492D-AA7C-91C36501195A}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Type = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\URL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore\Time = e80708000400160004002c0001007c03	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}\iexplore\Time = e80708000400160004002c0001007c03	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2314F721-6041-11EF-A2BE-5E235017FF15} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\Software\Microsoft\Internet Explorer	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046}\Enum	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = a0eea3e54df4da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Flags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430463702"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{B4F3A835-0E21-4959-BA22-42B3008E02FF}	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000064ad6ada68c2274e9d9e31a96f8b7e4000000000020000000000106600000001000020000000d429ebb4a8937202d025233c1fe28aa937cbf1d75d03c3dc8f308b0a0caa62ad000000000e80000000020000200000007d61af5730574e2e1cdb34491b5a4df8b2656ac56379fd7a867d889759ddac02100000004b85fb652eff2d1ef022181b1cf27fcf4000000035929f61bc6a37c2958398df7a42e4e6aee27b755c2184db5708b0300e5f389de55e9595f58db8c2527fc2fc3298c9c6708c02e5036a401f530c543837a7ced7	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\Flags = "512"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore\Blocked = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\AppDataLow	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2916	IEXPLORE.EXE
2916	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2916	2788	L_Server2007.exe	31
PID 2788 wrote to memory of 2916	2788	L_Server2007.exe	31
PID 2788 wrote to memory of 2916	2788	L_Server2007.exe	31
PID 2788 wrote to memory of 2916	2788	L_Server2007.exe	31
PID 2916 wrote to memory of 2068	2916	IEXPLORE.EXE	32
PID 2916 wrote to memory of 2068	2916	IEXPLORE.EXE	32
PID 2916 wrote to memory of 2068	2916	IEXPLORE.EXE	32
PID 1328 wrote to memory of 2696	1328	b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe	33
PID 1328 wrote to memory of 2696	1328	b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe	33
PID 1328 wrote to memory of 2696	1328	b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe	33
PID 1328 wrote to memory of 2696	1328	b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe	33
PID 1328 wrote to memory of 2696	1328	b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe	33
PID 1328 wrote to memory of 2696	1328	b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe	33
PID 1328 wrote to memory of 2696	1328	b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe	33
PID 2916 wrote to memory of 2680	2916	IEXPLORE.EXE	35
PID 2916 wrote to memory of 2680	2916	IEXPLORE.EXE	35
PID 2916 wrote to memory of 2680	2916	IEXPLORE.EXE	35
PID 2916 wrote to memory of 2680	2916	IEXPLORE.EXE	35
PID 2788 wrote to memory of 2916	2788	L_Server2007.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6630ed311ce4607cc00e8d432a1e2e0_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\uninstal.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2696

C:\Windows\L_Server2007.exe
C:\Windows\L_Server2007.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
    3⤵
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:2068
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2916 CREDAT:275457 /prefetch:2
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\L_Server2007.exe

Filesize
655KB

MD5
b6630ed311ce4607cc00e8d432a1e2e0

SHA1
4f1fc82b2e96529429d6aa3d55311cfed3eca718

SHA256
98d51516af5c2ffc730163d59748eb9d85201ccebb065257ae221582e7f34e4b

SHA512
ace7674a88960133d68ebebd617708ba4a8fe5ce54fabcd52211cec5fd6249b6935c8ff151811228f530f912596ee4db4f10b273684507e606eff6cf18c5ef7e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
ae1d463a164691dc955751c10f6ae101

SHA1
c454818c45a1d59bed3b50168e7912d357ff0e07

SHA256
50da1d4302475c3ad9de003e23bfd6ecae2668e0d17df573d7cf5efef458ec5f

SHA512
baded221a68fb747866be53d7bd32c751c8f42ee0b42734ae38306effa1c78b0bdbb31d4bdd4865af6e0eb2ab6cd090116404f7db938f6cd023ba9c40b81479e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1550a4eefd6be433bbac444f7e071a8

SHA1
4588a74f39e564f6160f8b0e7f65f1d9530d7ae9

SHA256
adc6091209e41f15a78344b9333085821b1b350150a8599a37f7c5d7ebd70929

SHA512
3039921fad4f41e632eb13924ce9c4f4f34c751c24b9716bbb2ef5248896c5b8ec06f515333740ce8f2b32ea2aadea1313b9c3389fcd63046542fb8a69cf33b9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20a4e8ff861cc96aa9dcf323999f3108

SHA1
a675f60323c6f86cbc752e15000d7b80cd9365e5

SHA256
8a94c412492eb0901fb72a91363119b5ab8fbf89280193d985c7eec71dadab78

SHA512
b8a5dde7401a0019cc1a39683aab547f24cd11f37d8743a89101d5043c074a26fdda263910aa1290d60ce9e04764e5c02c42bf5dcc18ccb51c2e993ef702c66d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2c012a756b5ecaf78fe6ba09be54943

SHA1
314c52daa7da67f703215356479585277329e476

SHA256
7638cc3655d556dc120d3147cfc79d246819a375aa28c1ac40a657a1a3d6e67c

SHA512
4df035c608aa20bd9b06829fb0e41bbfc3e9e73dd638077ab912e3fe4f409e565a4e98da778b0fb99e03693e8df223825cc8586bdb4ff2cde739886d3647ce3c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
547cdcb626041cba8fdf1705a17209ce

SHA1
56d8cc5c193b95b2d5247f16981b9526e6a882a7

SHA256
b8ebbdd7118f21ba408285fe4c8e208db59c7434aaf78e7c4ede54481a533cf8

SHA512
68c9f11bb90b4c99ea6ee85c7ba853fd52ce62260cf2129ab82a0a20d9db00240c1c26eb0e3b618e28c0ff0cb4dd4173baabb3ed1a3e97154da601520fa19ed0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45e7aea5809bc96f42c25ecf35557505

SHA1
b205baf485a9f08882cc05a44e7c49a2563fba9f

SHA256
4271ff8329b8b2f2a373b680b26950e49d488525f256edf19948d9eae3dff861

SHA512
dc9888838c463e64fa01b2ff9e424feb51f1d4da731a0447890d67c7071bb76b9067349e616cf9e6369bf7f80cdcd306194aee32a67edd2368d23684bf661e00

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21335ba26c6d172387a1f4b486859791

SHA1
6302425cbe6c32645ce64cdbdd32bc9b41ad76b1

SHA256
94d643eafc6c3f8180953945bf19722610bbc2756a0d48fbb283c799bf5c0e3e

SHA512
88a57ed84d6ae49222d70ce05b314278211adcc8a36e20d7892071e4c8612e0d67cb3c48e06d0a4828d8f8a3213459277c34dd7165ab797a4f81ae3fbe1866f1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a341822402d1d45edfc782d9a2f0f67

SHA1
73623628d7d2997a96be2638410fab05647aae49

SHA256
c735fccb44c24588245255bca3a69155ca430e6fad2e41203de14f50d867ad83

SHA512
b2e3bde8a617772ba9cdaa6a9848c7039e7ec02019d1269cfd4dfa0190bea5aeb488e6e7829d3f9b46b0bd2e8ef9c726dfeb354050e3aad50d7ed0486202fa30

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fae208f09e8e107d03c6d430556bc92e

SHA1
c381731f59308767f0467562b4da301ceb99575a

SHA256
d83d43b6e33235657ece6569c5eddaffdaf5589eac7e171f0be8e32154c6bd1a

SHA512
a36eba8d518cfe8737adbb68c917fd95acbbe925d3308eba2ee12e44aa589b7d7df268a1e821700dbe087a80169fb8ea71896193c506f699720c126730808ee3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05942ba52250a79b4c49f701fb599bd2

SHA1
66344e1a4792866a0510a39e28ef5dea499dc24d

SHA256
3846db75d9a7afe67a738f0a9b64a58082a7dc4f2e9be019bbf29df654ebe614

SHA512
838af16c041c81ff04d27ce4d0dd6330a57bd465db6f2ee6679df75533111d1f47156d1150bee3b95b31f37c53e670839d7119cb6d7a0444c88ebb12a50f5b6b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87d1bcfbfcae6dbaec4c9ea63fc8809f

SHA1
5a74ebad1299103d9e60ec36e2706dc06801a808

SHA256
3c73e7465fcdc1f1f4ce025024fb61269b14272cd325f377087394c31ecb976a

SHA512
70ace91e26c7b607af55e12ef8cb51ceb838a2ffc33440e46090cfaf0f0a21d293c67884149537c643b4b5471dedfc78d460433bfbd66b46688c958cfd4c4412

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7eb0f091b4dcd4ab772cb7a95e92f5f2

SHA1
4c1d93de90658509d582f27567c28e1c9a8ffae4

SHA256
637d39795fd5ae4f76cba2bd55f19b3b3a1670b68988bddb255c40bdf8d0d319

SHA512
b734bed2792b5d3484af7519527fdebddb35d057f06a64b572f5f10e275a21918ff397a1efcbb84e7ddb66a1c57e84982f60d86bd876a641f4fe690bcdd77466

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18838fc9735c22b0282dc59f494f73eb

SHA1
2dbe41bc0eb27226506856797597c9ca8686f5b6

SHA256
4cc00baf89b024ebf5024ff82de5c509eebfb193a9840024599f513ad422ca47

SHA512
3de41e51f9ecfed6adfce5dedba406090cab1f5fe84c45c8f0bccd98ef7912f26fefa7290077bd63e2183ad480cea4b60bd5ef5b34f743de93c4e35af7693367

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d265b3e6386ea058554019ae5b19a03

SHA1
d8940834a8ef932db955c4c98f72844339675294

SHA256
9a84e34e8b81886e08e9df6eeabb878943734969db7390dc33011b3fd3640d8f

SHA512
f444d3ef0b368f429cb1fd920034bc5358259dd5e60210c31aa606f3cbe66c7bd09ce47a50b32976c2081a3c0bb18eec4ae3c1f1972afd0e3e31b675acbfa3a0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bfacb720c0fabfc21f2d5c63f6584c5

SHA1
3df4ed8b4592cfc7f4dd2ccbc86b0c4d861aed58

SHA256
1e86136e7258197a2328f8c48c4f2a8e01fa793ab94d1905affa74a943b15753

SHA512
16b205a59521838ddffb95f98d18f74f81369deec92b0ad097ad77e7d163b184163319120217030dea893be1d4c4b9b9937ada171aabd3b5f91b6fa0741c9467

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6fcea1ccf1172aee4644f3d6c0e7aa8

SHA1
f2dea8ef186e95d16a9b2355ec90e7de6beb3ffe

SHA256
2e280f0bb60f2903d048da05475abbc8d188b7483670d0d2b602d9db58fb84d7

SHA512
6b94d1cf344f845c2948dc239b8f934acaca537464dd7a41397083f7110231a8b05bf7e5e378ed54a393d2926a5395c90e2da58185705dc19ec41ab9d0c5c34a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1596119cd73f7a6242d023b2a4c079c

SHA1
1f07606599977267287a09c044bf01965ecf5ac9

SHA256
aec8506e0b6db3602ce6f6d075641ecfd5bb7b296e1a0671a1f162ae85030c86

SHA512
c1d2786c7d42d82d441ce4d3e93759c04adf13622032fdc2c2cdca4b62c85ec8b9286faa32aa92d3551eca2ab6e4e449257baa4557e08a88964e1af90822362e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c95c75dc2692a77611cd34091ba75f1

SHA1
d33b38d87f976d6c16fd3338223ea51ecb92720a

SHA256
26219747ce5331c823de3237e9059ae13e47ac83f98ceb01cd7824f729a9b6bb

SHA512
9929c1c74f9171e9ac5214cff1f33bd4742f48928f33297baeb6389f393a3c000589ca259884dd0da8a41f62f447413756a037c4c89bf88e58837708f3db8e06

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71079bcb40c5ce3e25f41586c7471386

SHA1
e15d9b1f672849c2b3352c6a1e9723b893c1ad63

SHA256
35016c497ed0960f39829ece671a3e44756af15de7964ce7bd460678b1d6b7ee

SHA512
1312fb3e7a97d44414192c161798372d53402388ec7ab9a61836590bf908c61c1ad45c3f7ee4ff40a5ec5112bafd459d9fd1a7391d3273466eed944742bd5c3f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
738c086473e4c85127c7cebb72cf7722

SHA1
4fa7fc4698df75ade129717d41ae5d936d541bd0

SHA256
9261e04c7730db323a32f4daa07d887ee1f5ed8f964022f89541db624d24526a

SHA512
91adc7474dc4905ddb2b86599a5490af0d7646174776a0dee8be0344b3201c8d2778046528533b74ba2d63a7cc198bd912fa33380dafcbe477b0903511324192

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
129B

MD5
2578ef0db08f1e1e7578068186a1be0f

SHA1
87dca2f554fa51a98726f0a7a9ac0120be0c4572

SHA256
bdc63d9fd191114227a6e0ac32aaf4de85b91fc602fcb8555c0f3816ac8620b3

SHA512
b42be0e6f438362d107f0f3a7e4809753cf3491ab15145f9ffa4def413606243f4dfffc0449687bd1bb01c653e9339e26b97c286382743d14a2f0ed52e72f7ee

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\Suggested Sites.url

Filesize
236B

MD5
11cede0563d1d61930e433cd638d6419

SHA1
366b26547292482b871404b33930cefca8810dbd

SHA256
e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9

SHA512
d9a4cdd3d3970d1f3812f7b5d21bb9ae1f1347d0ddfe079a1b5ef15ec1367778056b64b865b21dd52692134771655461760db75309c78dc6f372cc4d0ab7c752

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\Links\desktop.ini

Filesize
80B

MD5
3c106f431417240da12fd827323b7724

SHA1
2345cc77576f666b812b55ea7420b8d2c4d2a0b5

SHA256
e469ed17b4b54595b335dc51817a52b81fcf13aad7b7b994626f84ec097c5d57

SHA512
c7391b6b9c4e00494910303e8a6c4dca5a5fc0c461047ef95e3be1c8764928af344a29e2e7c92819174894b51ae0e69b5e11a9dc7cb093f984553d34d5e737bb

Download Submit
C:\Windows\System32\config\systemprofile\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Windows\Temp\CabB5BD.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarB5C0.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\Temp\TarB75C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Temp\wwwAA15.tmp

Filesize
195B

MD5
a1fd5255ed62e10721ac426cd139aa83

SHA1
98a11bdd942bb66e9c829ae0685239212e966b9e

SHA256
d3b6eea852bacee54fbf4f3d77c6ec6d198bd59258968528a0231589f01b32f4

SHA512
51399b4eac1883f0e52279f6b9943d5a626de378105cadff2b3c17473edf0835d67437ae8e8d0e25e5d4b88f924fa3ac74d808123ec2b7f98eff1b248a1ab370

Download Submit
C:\Windows\Temp\wwwAA16.tmp

Filesize
216B

MD5
2ce792bc1394673282b741a25d6148a2

SHA1
5835c389ea0f0c1423fa26f98b84a875a11d19b1

SHA256
992031e95ad1e0f4305479e8d132c1ff14ed0eb913da33f23c576cd89f14fa48

SHA512
cdcc4d9967570018ec7dc3d825ff96b4817fecfbd424d30b74ba9ab6cc16cb035434f680b3d035f7959ceb0cc9e3c56f8dc78b06adb1dd2289930cc9acc87749

Download Submit
C:\Windows\uninstal.bat

Filesize
218B

MD5
c4a1057cbc7ddde173913214d328b2bb

SHA1
efdfd448cbbb5b9d44d941fa4650b1a0ecb3d1ab

SHA256
5ba17a93e940e04ac614c6f5f921c0d1fcd366b3963f93dca962d22ddca0a7ab

SHA512
36b9db71fc63622e06cbd40857123865ac2df87cfb6ee39f76f8a1d6a61a238ae17cadbf6f3389cef5d304d87eb4e9c38b825f843d75c3ed939980a378a0bb25

Download Submit
memory/1328-5-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/1328-8-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/1328-36-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download
memory/1328-0-0x0000000013140000-0x0000000013252000-memory.dmp

Filesize
1.1MB

Download
memory/1328-2-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1328-3-0x0000000001C30000-0x0000000001C31000-memory.dmp

Filesize
4KB

Download
memory/1328-4-0x0000000001C80000-0x0000000001C81000-memory.dmp

Filesize
4KB

Download
memory/1328-1-0x0000000000350000-0x00000000003A4000-memory.dmp

Filesize
336KB

Download
memory/1328-6-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/1328-7-0x0000000001C70000-0x0000000001C71000-memory.dmp

Filesize
4KB

Download
memory/1328-10-0x0000000001C20000-0x0000000001C21000-memory.dmp

Filesize
4KB

Download
memory/1328-37-0x0000000013140000-0x0000000013252000-memory.dmp

Filesize
1.1MB

Download
memory/1328-9-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/1328-13-0x0000000003110000-0x0000000003210000-memory.dmp

Filesize
1024KB

Download
memory/1328-14-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/1328-15-0x0000000003110000-0x0000000003112000-memory.dmp

Filesize
8KB

Download
memory/1328-16-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/1328-17-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1328-18-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1328-19-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/2788-622-0x0000000013140000-0x0000000013252000-memory.dmp

Filesize
1.1MB

Download
memory/2788-21-0x0000000013140000-0x0000000013252000-memory.dmp

Filesize
1.1MB

Download