7d2f27e40cea3248fe952148b0d636c45a0e196c320bc9e441c186abc7f6bd0d

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe
Size

4.3MB
MD5

8270cc8f6e3575c3d6dac84783c7895b
SHA1

43057f92c25747f11bc1c28d04c899cd54003a10
SHA256

7d2f27e40cea3248fe952148b0d636c45a0e196c320bc9e441c186abc7f6bd0d
SHA512

4cadf853469c4a5bc5944d8246da4b62d8e4e506838fde5b799986ba052f4335d5d229eaa8c76f70c552210f40685b6d7a06189147cc428f9d71f5aa346869e2
SSDEEP

98304:hI5plrd55Q8ysqZw5QCVUFYnT3kup/6hoCS4rCwNM4nt:KplR7rnyw5B+AT3kS6hE45Pt

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
4416	setup.exe
3188	Regsvr32.exe
892	Regsvr32.exe
2332	Regsvr32.exe
4440	Regsvr32.exe
392	Regsvr32.exe
1116	Regsvr32.exe
992	Regsvr32.exe
2320	Regsvr32.exe
4684	Regsvr32.exe
3584	Regsvr32.exe
3724	Regsvr32.exe
1448	Regsvr32.exe
1332	Regsvr32.exe
4608	Regsvr32.exe
3676	Regsvr32.exe
344	ISOBurner.exe

Loads dropped DLL 20 IoCs

pid	Process
4416	setup.exe
3188	Regsvr32.exe
4416	setup.exe
4416	setup.exe
2332	Regsvr32.exe
4440	Regsvr32.exe
392	Regsvr32.exe
1116	Regsvr32.exe
4416	setup.exe
4416	setup.exe
4416	setup.exe
4416	setup.exe
4416	setup.exe
4416	setup.exe
3724	Regsvr32.exe
1448	Regsvr32.exe
4416	setup.exe
4416	setup.exe
4416	setup.exe
3676	Regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\VB6FR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\VB6STKIT.DLL	setup.exe
File created	C:\Windows\SysWOW64\MSINET.OCX	setup.exe
File opened for modification	C:\Windows\SysWOW64\msxml3.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\sensapi.dll	setup.exe
File created	C:\Windows\SysWOW64\mscomctl.ocx	setup.exe
File created	C:\Windows\SysWOW64\GIF89.DLL	setup.exe
File created	C:\Windows\SysWOW64\MSCMCFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\INETFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\MSINET.OCX	setup.exe
File created	C:\Windows\SysWOW64\scrrnfr.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\ASYCFILT.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\OLEPRO32.DLL	setup.exe
File created	C:\Windows\SysWOW64\VB6FR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\MCI32.OCX	setup.exe
File created	C:\Windows\SysWOW64\MCIFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\RUNNABLE.TLB	setup.exe
File opened for modification	C:\Windows\SysWOW64\COMCAT.DLL	setup.exe
File created	C:\Windows\SysWOW64\CMDLGFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\CMDLGFR.DLL	setup.exe
File created	C:\Windows\SysWOW64\VB6STKIT.DLL	setup.exe
File created	C:\Windows\SysWOW64\MSCOMCT2.OCX	setup.exe
File opened for modification	C:\Windows\SysWOW64\MSCOMCT2.OCX	setup.exe
File created	C:\Windows\SysWOW64\CMCT3FR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\COMDLG32.OCX	setup.exe
File created	C:\Windows\SysWOW64\COMCT332.OCX	setup.exe
File opened for modification	C:\Windows\SysWOW64\GIF89.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\MSCMCFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\STDOLE2.TLB	setup.exe
File created	C:\Windows\SysWOW64\INETFR.DLL	setup.exe
File created	C:\Windows\SysWOW64\MCI32.OCX	setup.exe
File opened for modification	C:\Windows\SysWOW64\MCIFR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\CMCT3FR.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\scrrun.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\WNASPI32.DLL	setup.exe
File created	C:\Windows\SysWOW64\RUNNABLE.TLB	setup.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	setup.exe
File created	C:\Windows\SysWOW64\Mscc2fr.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\Mscc2fr.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\SSubTmr6.dll	setup.exe
File created	C:\Windows\SysWOW64\COMDLG32.OCX	setup.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	setup.exe
File opened for modification	C:\Windows\SysWOW64\OLEAUT32.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\scrrnfr.dll	setup.exe
File created	C:\Windows\SysWOW64\SSubTmr6.dll	setup.exe
File created	C:\Windows\SysWOW64\WNASPI32.DLL	setup.exe
File opened for modification	C:\Windows\SysWOW64\COMCT332.OCX	setup.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b85-9.dat	upx
behavioral2/memory/4416-10-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4416-14-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4416-60-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4416-247-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral2/memory/4416-250-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ISOpen\izo.ico	setup.exe
File created	C:\Program Files (x86)\ISOpen\ISOBurner.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\ISO.ico	setup.exe
File created	C:\Program Files (x86)\ISOpen\iso2bin.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\ISOPENASPI.dll	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lang\English.lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lang\French.lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lang\Russian.lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\Russian.lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lame\lame.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\setup.log	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Ressources\GRAPHIC.DAT	setup.exe
File created	C:\Program Files (x86)\ISOpen\Ressources\cd.dat	setup.exe
File created	C:\Program Files (x86)\ISOpen\Ressources\Disc.dat	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Ressources\Disc.dat	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lang\Dutch.Lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\Ressources\GRAPHIC.DAT	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lang\Chinese(CHS).lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lame\lame.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\ISOburnParam.dll	setup.exe
File created	C:\Program Files (x86)\ISOpen\ISOpen.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\iso2bin.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\ISOPENASPI.dll	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\setup.log	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\Chinese(CHS).lng	setup.exe
File created	C:\Program Files (x86)\ISOpen\uninstall.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\uninstall.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\English.lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\French.lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\Italiano.lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\ISOBurner.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\aspi32.exe	setup.exe
File created	C:\Program Files (x86)\ISOpen\ISOburnParam.dll	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Ressources\cd.dat	setup.exe
File created	C:\Program Files (x86)\ISOpen\Lang\Italiano.lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\Lang\Dutch.Lng	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\ISOpen.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\ISO.ico	setup.exe
File created	C:\Program Files (x86)\ISOpen\izo.ico	setup.exe
File opened for modification	C:\Program Files (x86)\ISOpen\aspi32.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ISOBurner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{38911DA0-E448-11D0-84A3-00DD01104159}\1.1\0\win32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ComCtl3.Bands\ = "Coolbar Bands"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl\ = "Microsoft ImageList Control 6.0 (SP4)"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\ToolboxBitmap32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE3D-8596-11D1-B16A-00C0F0283628}\InprocServer32\ = "C:\\Windows\\SysWow64\\mscomctl.ocx"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F22-8591-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BDD1F04B-858B-11D1-B16A-00C0F0283628}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8E3867A2-8586-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{41A7D760-6018-11CF-9016-00AA0068841E}\TypeLib\ = "{EA544A21-C82D-11D1-A3E4-00A0C90AEA82}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib\Version = "2.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD49EAC1-E34C-4DB8-BFFA-381DC1260803}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ISOBurner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C5CC5CB-D3BC-11D0-84A2-00DD01104159}\ = "ComCtl3Satellite.Resources"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\ToolboxBitmap32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8E3867AA-8586-11D1-B16A-00C0F0283628}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BDD1F050-858B-11D1-B16A-00C0F0283628}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1CF2B120-547D-101B-8E65-08002B2BD119}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{000204EF-0000-0000-C000-000000000046}\6.0\9\win32\ = "C:\\Windows\\SysWow64\\msvbvm60.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{742B0E01-14E6-101B-914E-00AA00300CAB}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{232E456A-87C3-11D1-8BE3-0000F8754DA1}\Control	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ComCtl3.Band	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F08DF954-8592-11D1-B16A-00C0F0283628}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C74190B7-8589-11D1-B16A-00C0F0283628}\ = "INodes"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C0324960-2AAA-11CF-AD67-00AA00614F3E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{22F55881-280B-11D0-A8A9-00A0C90C2004}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{603C7E80-87C2-11D1-8BE3-0000F8754DA1}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C12FDCC-D67D-41B9-A236-27E732457A0D}\ProxyStubClsid32	ISOBurner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B28FA150-0FF0-11CF-A911-00AA0062BB4C}\TypeLib\Version = "6.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB41E8C3-4442-11D1-8906-00A0C9110049}\TypeLib\Version = "6.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\ = "{F9043C88-F6F2-101A-A3C9-08002B2F49FB}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FED-8583-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F24-8591-11D1-B16A-00C0F0283628}\TypeLib\Version = "2.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B196B28C-BAB4-101A-B69C-00AA00341D07}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6BC3AC0-DBAA-11CE-9DE3-00AA004BB851}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C1A8AF25-1257-101B-8FB0-0020AF039CA3}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{86CF1D34-0C5F-11D2-A9FC-0000F8754DA1}\2.0\ = "Microsoft Windows Common Controls-2 6.0 (SP4)"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{603C7E7F-87C2-11D1-8BE3-0000F8754DA1}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5522DB04-06D6-11D2-8D70-00A0C98B28E2}\ProgID\ = "ComCtl3.BandProperties"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{28D47530-CF84-11D1-834C-00A0249F0C28}\MiscStatus	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{35053A20-8589-11D1-B16A-00C0F0283628}\ = "IProgressBar"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5522DAF9-06D6-11D2-8D70-00A0C98B28E2}\TypeLib\ = "{38911DA0-E448-11D0-84A3-00DD01104159}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{28D47522-CF84-11D1-834C-00A0249F0C28}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.ImageListCtrl.2\CLSID\ = "{2C247F23-8591-11D1-B16A-00C0F0283628}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F08DF952-8592-11D1-B16A-00C0F0283628}\TypeLib\ = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C4D651F0-7697-11D1-A1E9-00A0C90F2731}\TypeLib\Version = "6.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\CLSID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.Animation\CLSID\ = "{B09DE715-87C1-11D1-8BE3-0000F8754DA1}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{71A2702E-C7D8-11D2-BEF8-525400DFB47A}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{083039C2-13F4-11D1-8B7E-0000F8754DA1}\TypeLib\Version = "1.2"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66833FE7-8583-11D1-B16A-00C0F0283628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B09DE715-87C1-11D1-8BE3-0000F8754DA1}\MiscStatus\1	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20DD1B9E-87C4-11D1-8BE3-0000F8754DA1}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComCtl2.DTPicker\CurVer	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\mscomctl.ocx, 3"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E3867A3-8586-11D1-B16A-00C0F0283628}\InprocServer32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Slider	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{35053A22-8589-11D1-B16A-00C0F0283628}\MiscStatus\1\ = "172433"	Regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
344	ISOBurner.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 4416	2512	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe	84
PID 2512 wrote to memory of 4416	2512	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe	84
PID 2512 wrote to memory of 4416	2512	8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe	84
PID 4416 wrote to memory of 3188	4416	setup.exe	100
PID 4416 wrote to memory of 3188	4416	setup.exe	100
PID 4416 wrote to memory of 3188	4416	setup.exe	100
PID 4416 wrote to memory of 892	4416	setup.exe	101
PID 4416 wrote to memory of 892	4416	setup.exe	101
PID 4416 wrote to memory of 892	4416	setup.exe	101
PID 4416 wrote to memory of 2332	4416	setup.exe	102
PID 4416 wrote to memory of 2332	4416	setup.exe	102
PID 4416 wrote to memory of 2332	4416	setup.exe	102
PID 4416 wrote to memory of 4440	4416	setup.exe	103
PID 4416 wrote to memory of 4440	4416	setup.exe	103
PID 4416 wrote to memory of 4440	4416	setup.exe	103
PID 4416 wrote to memory of 392	4416	setup.exe	104
PID 4416 wrote to memory of 392	4416	setup.exe	104
PID 4416 wrote to memory of 392	4416	setup.exe	104
PID 4416 wrote to memory of 1116	4416	setup.exe	105
PID 4416 wrote to memory of 1116	4416	setup.exe	105
PID 4416 wrote to memory of 1116	4416	setup.exe	105
PID 4416 wrote to memory of 992	4416	setup.exe	106
PID 4416 wrote to memory of 992	4416	setup.exe	106
PID 4416 wrote to memory of 992	4416	setup.exe	106
PID 4416 wrote to memory of 2320	4416	setup.exe	107
PID 4416 wrote to memory of 2320	4416	setup.exe	107
PID 4416 wrote to memory of 2320	4416	setup.exe	107
PID 4416 wrote to memory of 4684	4416	setup.exe	108
PID 4416 wrote to memory of 4684	4416	setup.exe	108
PID 4416 wrote to memory of 4684	4416	setup.exe	108
PID 4416 wrote to memory of 3584	4416	setup.exe	109
PID 4416 wrote to memory of 3584	4416	setup.exe	109
PID 4416 wrote to memory of 3584	4416	setup.exe	109
PID 4416 wrote to memory of 3724	4416	setup.exe	110
PID 4416 wrote to memory of 3724	4416	setup.exe	110
PID 4416 wrote to memory of 3724	4416	setup.exe	110
PID 4416 wrote to memory of 1448	4416	setup.exe	111
PID 4416 wrote to memory of 1448	4416	setup.exe	111
PID 4416 wrote to memory of 1448	4416	setup.exe	111
PID 4416 wrote to memory of 1332	4416	setup.exe	112
PID 4416 wrote to memory of 1332	4416	setup.exe	112
PID 4416 wrote to memory of 1332	4416	setup.exe	112
PID 4416 wrote to memory of 4608	4416	setup.exe	113
PID 4416 wrote to memory of 4608	4416	setup.exe	113
PID 4416 wrote to memory of 4608	4416	setup.exe	113
PID 4416 wrote to memory of 3676	4416	setup.exe	114
PID 4416 wrote to memory of 3676	4416	setup.exe	114
PID 4416 wrote to memory of 3676	4416	setup.exe	114
PID 4416 wrote to memory of 344	4416	setup.exe	115
PID 4416 wrote to memory of 344	4416	setup.exe	115
PID 4416 wrote to memory of 344	4416	setup.exe	115

C:\Users\Admin\AppData\Local\Temp\8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8270cc8f6e3575c3d6dac84783c7895b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\ae28339\setup.exe
  C:\Users\Admin\AppData\Local\Temp\ae28339\setup.exe -d "C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4416
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\CMCT3FR.DLL"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3188
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\COMCAT.DLL"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:892
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\COMCT332.OCX"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2332
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\COMDLG32.OCX"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4440
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\GIF89.DLL"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:392
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\mscomctl.ocx"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1116
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\msvbvm60.dll"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:992
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\OLEAUT32.DLL"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2320
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\OLEPRO32.DLL"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4684
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\MSINET.OCX"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3584
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\MCI32.OCX"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3724
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\MSCOMCT2.OCX"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1448
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\msxml3.dll"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1332
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\scrrun.dll"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4608
- - C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe
    C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe /s "C:\Windows\system32\SSubTmr6.dll"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3676
- - C:\Program Files (x86)\ISOpen\ISOBurner.exe
    "C:\Program Files (x86)\ISOpen\ISOBurner.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ISOpen\ISOBurner.exe

Filesize
40KB

MD5
f22837c8c45d5b5d60024cb5d9bcad8f

SHA1
c31c64e00082fc75b7aef17114bd087c370f91a0

SHA256
7fb3bfab48e5e74a26f2d2964d78ad3856fa474223fd9aa835948d6324ae1837

SHA512
63ad9d9209cde18e0c69523e963a1aee4888851959010d63062293008ee6fd1ffc8abaa30be69a7c1129dbce8eef2793f56198a6d8a3dc8ab8490c01a8ebea37

Download Submit
C:\Program Files (x86)\ISOpen\ISOpen.exe

Filesize
367KB

MD5
dd6d045d04d823a11a370267763d2f0c

SHA1
e1add69fa0395bbb0e0d7c1f0179238eb7bbd15a

SHA256
9203b659ef2223d6dc551d6c68eda249b11565440b70e07d2e82bebeca4feb55

SHA512
c27e57a1e1f5cfd1113b4ee755286bd973a5aa071458445c4e883e21940c92d8fd7700d370ea1f05c0c880fdf46560d0b2dcf3520c66cbce199fadef6dcf310a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae28339\English.dat

Filesize
5KB

MD5
11075490b216306d47156dd9c9db9b52

SHA1
b7549823c0c9e147e0c0735291da9d2c7e84b768

SHA256
1f8ada3c4bbd62495b3747bdffe6f1745f7484ce86045e7227515f27d2253fe4

SHA512
b5a62d042a3146290a4bb5fff35908bbe8cc1a3f1572afa3a5f27846a191eca98d93698984f8bb6b605b9c3421d3451d1d607b0361ef552b26cb882faaa2b50d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae28339\Regsvr32.exe

Filesize
36KB

MD5
7b194f51f6b52233c33a7d0d88a91581

SHA1
459dc713fd52197d025fb7b4b4833ed5dca73a87

SHA256
7c05339da12624396d9911263dc7c993fc2e757e130009465a511045bf06d344

SHA512
dd835fa6d8f57159ff045bc3c89d1eea965411a34f1a8d0232ed58a1fde885cb3e489fdd01d2bf31aec606130a6b6dc6e3e7602ecb852326dc293604793504cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae28339\Setup.ini

Filesize
4KB

MD5
9c09600e62f0001a701ccaeabed8f67b

SHA1
c89690c00e04d48c773c05c5dca09f43eff66175

SHA256
be931922461aa31c158cf59bc100fd9451a6dfd920c6fa18ba9216ef7f504389

SHA512
dac81d6cab5920e0f5f4b84d57bd2eb627b69b2fdec9eef9e0cf174d0d2de3ff1afffb9d4db24fe212e9b0894c3bf0905590d04d9dd9a7d27de44330ff066493

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae28339\setup.exe

Filesize
149KB

MD5
536d65fb4fc58c60cb9693360d36f536

SHA1
71bd50765c01cdd264fc647ca5fb34dfffd3499b

SHA256
79f851fc387d00331e82ac34ae9840a53b034ba9de977f84e216593fd5e6111a

SHA512
fd5cf95dd416fa7e708df3604821cc8aa0a0e6385dd3a83367b65bae6c3e0817ca1dc5e3fe4fb6e8fe24b1a612dac395e7d41284f6927b254ffcf58878591fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae28339\setup.zip

Filesize
4.1MB

MD5
4949fe140f056040afedfa1e5ec9f6ae

SHA1
703ee6d309ee2cf925e81fae876092f745d1d27f

SHA256
e006bff40df6bfeae08cdc7ca481b61839c3a24a721a1ca46c2bf923a87eff48

SHA512
e410fe6666f099f3f675428763c3a66da96c80d478e960928d0568fd29aa5a8d585fcf80841b6914e3b9c664279d85f6268871c99bdf050905ded8f02b3e37d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE9C4.tmp

Filesize
140KB

MD5
fc152d48b806bc5167a9de010181f1b7

SHA1
d38fc4323220c7ab5be27365159e8f910935a3d8

SHA256
960b59a0108573d18f8b1bfeeccf561bc1893035ea5814598875ca1a664e16d0

SHA512
67dbb11e3186dcfe0720596dacc68d5469989a970925c0e25183b460bfd56c4db8c35677d59785d5ac64a4351c95a780480dbbf3787b0fe27c5084f52f80e560

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEAFD.tmp

Filesize
21KB

MD5
3b180da2b50b954a55fe37afba58d428

SHA1
c2a409311853ad4608418e790621f04155e55000

SHA256
96d04cdfaf4f4d7b8722b139a15074975d4c244302f78034b7be65df1a92fd03

SHA512
cf94ad749d91169078b8829288a2fc8de86ec2fe83d89dc27d54d03c73c0deca66b5d83abbeaa1ff09d0acac4c4352be6502945b5187ecde952cbb08037d07e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEF44.tmp

Filesize
1.3MB

MD5
3496686b7304f0034f58d3417ba1b6b6

SHA1
53565a271e708321836a6274000cfec462e81b0d

SHA256
088e9a0ec5dcdbb3d1deb412c32087c93dcf9c757b5d97ab93d7f7f91c2091ff

SHA512
8769843d1b9a2bd5980c1db1707f906e4f123aaf3fd38c76447dbf70f67e5c536fd7b629c753d2a0696aa4049a98a705ad2bcd1b79a29b6a582feba897d82fa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF0AC.tmp

Filesize
600KB

MD5
2300cfefe2158d1efd1ef8b92e4f1f7c

SHA1
947d26713dbef9d4f017c27e007e0fbf266f88c8

SHA256
b335f6eaab8a88602bb11434d36e8f3edcf3ad305cfd972bf6ef3451ce6f698d

SHA512
48ed72688b4daa8be684c268e0c4a64b417d6964d2b9a3229a50abb84897cd106bb218789304ac75282708af0df91219780082ed26a91e37b41eb41b503962f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF224.tmp

Filesize
160KB

MD5
e147ea8485e6cf95f28c9e2f14e1aa25

SHA1
3953fa1ea45c88c3ccc7d197d7444be6a88fa884

SHA256
f70755b2e08e70203cb1eb25f18b8677066ed1cd362a13d9cca943dbf1e81934

SHA512
1556c9836311d5296c7a6af6a4cae9326bedf80e04c96bade9a9d2b25ebfe03fb2e6589aeccc178315bffbcabac1a4f4f31e462662082ea645cf43f8cb202cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF36D.tmp

Filesize
16KB

MD5
6372654ae41b417cf176f13d8f7a56e3

SHA1
cb0f87089d0fba0703bed479b6a15cdcdb5accd6

SHA256
0f9f2f06410b66082096584aa54c0b81ec0b652c028fde52892fbc99d6b434a4

SHA512
2460bfacb8474ee3dfde8bcd99453ac756e3dd0151b5396adced6b4d141516690d34471378500b2bd320a1ca1f7a19811806940e933d9f903f10e9a46df33ceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF756.tmp

Filesize
1.1MB

MD5
88e5618f62912ad2c4fd2832b5bcb63f

SHA1
3876ea4233b27b09a67eddbadcc9aa396960974b

SHA256
19413ced1c7791a699c5469bd466d1b002bb0366961305408d1eb0e2e96dfc7d

SHA512
59cc16d4cdd6ce9dbe2f00bee5261da9798905f008fc574537a5a92b9ba27c9121a9a02cbde5a4851371ccfd25fbd1358b0dec794680bf7366071f216bb1191f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF94B.tmp

Filesize
144KB

MD5
62d3d645789b3ee0ce3adc092af99467

SHA1
8962799b0511e4501b7ad8795dda6c72e2c6e0db

SHA256
a235d7dbd4338cc7cd0baccdaf86a02876201ff4859bb66d451f1cf835ad3555

SHA512
93f6e021712beb56f461c99ab14d4febaa4838090a71094649214a467ff905167cc0be2b37bb3da26201230f7e4738ca861c0ef7b9e2eaf3eca3a2cd382d3daa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9D9.tmp

Filesize
6KB

MD5
fc3d0ee99f1f3be8a27741bb7abd68f9

SHA1
517d5ae9c38ef5a20d172bbdce440b5923be565a

SHA256
675cc5e1c2c989136c63f508b878a9fa367af9c1cf600193bf7707fdd97ad9f0

SHA512
7f1d3b873748aa07dc64d06bac01dd686d21308a7001865419e8cedc503a9f7d76e45c534369b97a9d20a49b9da7113eb5763f2bb5ad230f49c4897b5bef72b5

Download Submit
C:\Windows\SysWOW64\CMCT3FR.DLL

Filesize
28KB

MD5
3ef5966521538b55ac01938ab03ff6a2

SHA1
7c9b00f4f53e6f26207c16696d77d93325262fd8

SHA256
5c83a7aa92d683769fe1466da50e13442a36497c86307a07c495036b4cca403c

SHA512
8c228a5bd25b71415fbba8c18150aa81dce6c415bc5d96f9eaa936f00a61cc40bd039127842332448c47a94689b9f151f5af7cb612d6415252f081deda7e89eb

Download Submit
C:\Windows\SysWOW64\COMCT332.OCX

Filesize
405KB

MD5
821ab1f1cf9904cb9026c686f13f0f05

SHA1
398f64c00b026d1c6d94a6efd180f20c010f5ee9

SHA256
332e6a1cb4bf722092f9e774ecc14acddbf95a9655bea021681b11aac37ac716

SHA512
d63c0facd14adfca4e7e1e6d99d1fd1c2be89c2c03e9835c506418a6a3facb745888062bdf97cdab0ad67cc8bccb385ae10955f58150d9c4ac4a7c61e5c1e559

Download Submit
C:\Windows\SysWOW64\COMDLG32.OCX

Filesize
137KB

MD5
d76f0eab36f83a31d411aeaf70da7396

SHA1
9bc145b54500fb6fbea9be61fbdd90f65fd1bc14

SHA256
46f4fdb12c30742ff4607876d2f36cf432cdc7ec3d2c99097011448fc57e997c

SHA512
9c22bc6b2e7dbcd344809085894b768cfa76e8512062c5bbf3caeaa2771c6b7ce128bd5a0b6e385a5da777d0d822a5b2191773cc0ddb05abe1fa935fa853d79d

Download Submit
C:\Windows\SysWOW64\GIF89.DLL

Filesize
43KB

MD5
fb00273cf7ce639c136853f3fc04b10c

SHA1
16e612d7a4f210e78426577cd77f349306ab018a

SHA256
d4916f5c35a94e87cef46a63b4f19fb842252e0e2857b7804c808c94926156e0

SHA512
5e4bc9ce74bf81171e4a7fc6168b0dfc50268ff0069549bbf7cd0d480df9882911f4a31183d8d6c0222bede39d7d3216ad4e8c553501c376eeb0abe454fce6a8

Download Submit
C:\Windows\SysWOW64\MCI32.OCX

Filesize
195KB

MD5
227db8cd7454ecfdada1b0b9bcba316b

SHA1
8e1ffb9c5e6d0ed8d6f22c0759ed657c67df4ab7

SHA256
ce228f87408dc5ace2148a3ab368151736abbcba4589af5a180216e72bf23b7c

SHA512
288ed68036ff90dd4353ce52be129bee971985cc7ab0b8b926a5b8f9ea6023d8e2fa2d8d919cdbb98c92fc483c01b639eab5e9c479207dfbbca24b91886d417e

Download Submit
C:\Windows\SysWOW64\MSCOMCT2.OCX

Filesize
632KB

MD5
c1b4af41a0370e4081d59ac99bcc929d

SHA1
c0c55de97f41a24bf50b2d08eb428371bb4a3cce

SHA256
2b7a1f905486736eda8b51add1bc2590c2a6d9d5a9ab7565335d989f39c0eb8e

SHA512
0bb987af80ab3b598f2d3008a6005484d2d4d082958e757aed3fd1cd5cca543f02d7b475e2c030e28e320d327dce4b4009894f51b7ab8f03acf54314d86d38b4

Download Submit
C:\Windows\SysWOW64\MSINET.OCX

Filesize
113KB

MD5
bec727a9a5853a940aa773ba6075b971

SHA1
03e789ac03993adb428deb6cc51e726e7ab99149

SHA256
ecf2223e93f091c0e13db6f12d75c38d0f99442388a63fde0df13bf09c2297b7

SHA512
2850aadd1983f047a06b7d2617b40f1442a15c5fd2e11f93d4ef508d86a0918a0bca1b7fe8b62f0a6679d0a5c85ea7c9300c81f93302edc975e389f65c25e801

Download Submit
C:\Windows\SysWOW64\SSubTmr6.dll

Filesize
40KB

MD5
dc7a3bc0fc185cd68848dc6f7d7b026b

SHA1
c661cb1198f5e3927a67884e71ca95ff33026224

SHA256
6618b3ab331642449f0b07e4f39abf9fc3bb90ae90b298f1b9ffd58ca5397399

SHA512
22c9b2b7930e9e442699e37f43944f7cb4cd2562ed8319b4341c59475fa8071b501f4908227378b7883930f14c3059f66531bf876b386dea0027151b08006577

Download Submit
C:\Windows\SysWOW64\mscomctl.ocx

Filesize
1.0MB

MD5
714cf24fc19a20ae0dc701b48ded2cf6

SHA1
d904d2fa7639c38ffb6e69f1ef779ca1001b8c18

SHA256
09f126e65d90026c3f659ff41b1287671b8cc1aa16240fc75dae91079a6b9712

SHA512
d375fd9b509e58c43355263753634368fa711f02a2235f31f7fa420d1ff77504d9a29bb70ae31c87671d50bd75d6b459379a1550907fbe5c37c60da835c60bc1

Download Submit
memory/344-241-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/344-246-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4416-148-0x0000000002B90000-0x0000000002BB9000-memory.dmp

Filesize
164KB

Download
memory/4416-137-0x0000000002B90000-0x0000000002C25000-memory.dmp

Filesize
596KB

Download
memory/4416-60-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4416-14-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4416-10-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4416-247-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/4416-250-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download