6eca43f7425a030b489d826dfc1000317aa5d921701ee33ca17814ca3cd8ec56

Analysis

max time kernel
147s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 02:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe
Size

76KB
MD5

e9049ca6e463d27c5925e566c3d64d41
SHA1

c804ea42d65af3c3e53e2b226a3574810385d289
SHA256

6eca43f7425a030b489d826dfc1000317aa5d921701ee33ca17814ca3cd8ec56
SHA512

ca14dc3eb9b8fc1e1b5f55273265a78352029142def2224471e344a5b590b42e263d10f87ec657b3d5c83e3d6eaa03c2c14b184c3ef2a343da498d935fe5cc3d
SSDEEP

1536:tc/WhsdkrfjGUnQC0gFW1P8+Jm1BbcaMi:tc/FkkpRmXxMi

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\current = "netmmc.exe"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\user = "tootsman.exe"	regedit.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Runs .reg file with regedit 4 IoCs

pid	Process
4388	regedit.exe
4480	regedit.exe
4504	regedit.exe
3312	regedit.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
744	msedge.exe
744	msedge.exe
740	identity_helper.exe
740	identity_helper.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe
3408	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe
744	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 4388	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	86
PID 4944 wrote to memory of 4388	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	86
PID 4944 wrote to memory of 4388	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	86
PID 4944 wrote to memory of 3312	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	88
PID 4944 wrote to memory of 3312	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	88
PID 4944 wrote to memory of 3312	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	88
PID 4944 wrote to memory of 4504	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	89
PID 4944 wrote to memory of 4504	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	89
PID 4944 wrote to memory of 4504	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	89
PID 4944 wrote to memory of 4480	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	111
PID 4944 wrote to memory of 4480	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	111
PID 4944 wrote to memory of 4480	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	111
PID 4944 wrote to memory of 4628	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	91
PID 4944 wrote to memory of 4628	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	91
PID 4944 wrote to memory of 4628	4944	e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe	91
PID 4320 wrote to memory of 744	4320	explorer.exe	94
PID 4320 wrote to memory of 744	4320	explorer.exe	94
PID 744 wrote to memory of 1976	744	msedge.exe	96
PID 744 wrote to memory of 1976	744	msedge.exe	96
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4232	744	msedge.exe	97
PID 744 wrote to memory of 4848	744	msedge.exe	98
PID 744 wrote to memory of 4848	744	msedge.exe	98
PID 744 wrote to memory of 4112	744	msedge.exe	99
PID 744 wrote to memory of 4112	744	msedge.exe	99
PID 744 wrote to memory of 4112	744	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9049ca6e463d27c5925e566c3d64d41_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\SysWOW64\regedit.exe
  regedit /s spy.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:4388
- C:\Windows\SysWOW64\regedit.exe
  regedit /s \monthyear.reg
  2⤵
  - Adds Run key to start application
  - Runs .reg file with regedit
  PID:3312
- C:\Windows\SysWOW64\regedit.exe
  regedit /s \show_screen.reg
  2⤵
  - Runs .reg file with regedit
  PID:4504
- C:\Windows\SysWOW64\regedit.exe
  regedit /s \flower.reg
  2⤵
  - Runs .reg file with regedit
  PID:4480
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe \web\ketawa_sampe_mabok.htm
  2⤵
  PID:4628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\web\ketawa_sampe_mabok.htm
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbfae46f8,0x7ffbbfae4708,0x7ffbbfae4718
    3⤵
    PID:1976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
    3⤵
    PID:4232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
    3⤵
    PID:4112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
    3⤵
    PID:1708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:4532
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
    3⤵
    PID:808
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
    3⤵
    PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
    3⤵
    PID:640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:4012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,15593914340970186622,17765732839777318721,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
047cdc395deacdc046b25e0cbd954050

SHA1
356340aadc61c4aadb8ecf626deba4f3e3e4a718

SHA256
392a17cedfbecfbedc915a5243ba6230e6ae16108ef562e08b2937b8e731a985

SHA512
0567c03bbe37a9715fbe477f31a43b638232c672c05b9e4adc46a0cd06fc50a8866edfe42a6fae5ba09b4bb0f8c4787ba00ae95a184dd2640a99abc4459d3954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
680f4d8e75b1a9337daea5d7dbbd4a55

SHA1
b12e8715a1c939b07a3884838f0c6d32095670eb

SHA256
abd8b754f2ec9126e2c258096799d22fc13042f419f01ab370060f9bb1dae28c

SHA512
7c67a6abea4327b475c3ea3385cc9a0fd1ed28ddd8e0da7f4d08a5b7532a96b9dec696da190a17897c06ef24ad45549c1a838ca466709f7f8d9474a61611641b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
df9f9c438903010c064e4d5736f27399

SHA1
a4bab8f9e142ce4f8f4bae8d5106ea6e4a964e5c

SHA256
9c9345ac2831a97ab640417038bec486076085d5fd6351ba6f35bb42ec1cc7ed

SHA512
6a1570158c9bdac9fa483398290a27a09d336aa49ff9aa9500012d573d0d74090a19ec9711ddf28c49924f054d23933382c05365619e751447dd481de6fefa92

Download Submit
C:\Users\Admin\AppData\Local\Temp\spy.reg

Filesize
106B

MD5
f05f40d724a3af041ea4e7562fbd9da0

SHA1
a1b1aa444685608771ea5a4b117211fe1d38daa9

SHA256
521135da7030ff4b62ebbcb8cec36e7df5d8fe321e6b1abf5418c00356d5a379

SHA512
6b8cf5fb1e41c95b3d05add99ad07f06d18c40b6f8b166d54e0df1aa38ad7ebe13a1045f2764bd0cd65bbb3b225e061332855b7e831c932e23e3d0e391ba771e

Download Submit
C:\flower.reg

Filesize
161B

MD5
e5a376ab0456b456e669b15acf96a12a

SHA1
877c1d9c10cf0e99f3c2cfada4ae8cfa2571cfc7

SHA256
0690c017d21b1256e2520cf3fd35f8a428f238093710f44f9720864bebfb5339

SHA512
68d64efea7525795115c31f67ac187e51b8de9411fca0f039654ee478404fb095d832e486f5f7a31f9ac13e2d693f1ccd7056e4330108635fe9d107f80b135e7

Download Submit
C:\monthyear.reg

Filesize
105B

MD5
7f521b3a1df6b8095b1c8b6efafa1863

SHA1
8c164a0fb7294c00e019c108576119bef1a9cc34

SHA256
f013af8ea0711fcb4cf998d80e586447a9c68f4fdaf9d8624bc0cbb33311187e

SHA512
755f828f3dd31ced7541b7e295e5c933e022edc80f99a0d8d14eebf6f1d4af63c898b02601edcc090364d9c1d461038ae0f80054f8edc4a79aa60ab1c1ddf04d

Download Submit
C:\show_screen.reg

Filesize
118B

MD5
c7e41e257faea20301c935953d5c4b3f

SHA1
f5fe22257d0995fe8cbf1114c045026ac505ca7d

SHA256
244d3aa9442f7d38e107a613c3a1797e34b7aadb0de88165b23898bfb69ddb64

SHA512
ee719754f6c6948c0fdfc97499edc5298a0f27405a59374500746fe2d091647aa1b6b1de6db2841e3bac0f81cb51493509dc61a31be9d4ec9230225e1308803f

Download Submit
C:\tootsman.exe

Filesize
76KB

MD5
e9049ca6e463d27c5925e566c3d64d41

SHA1
c804ea42d65af3c3e53e2b226a3574810385d289

SHA256
6eca43f7425a030b489d826dfc1000317aa5d921701ee33ca17814ca3cd8ec56

SHA512
ca14dc3eb9b8fc1e1b5f55273265a78352029142def2224471e344a5b590b42e263d10f87ec657b3d5c83e3d6eaa03c2c14b184c3ef2a343da498d935fe5cc3d

Download Submit
C:\web\ketawa_sampe_mabok.htm

Filesize
1KB

MD5
02e2b635e035989b4d990fcbcffb57b3

SHA1
42d0ee44b3636a79bf201ecd393354863e79a28b

SHA256
4576b6cb00480fb83b4b26448dccc52c6fe651ac2548160e7963ed123f15f410

SHA512
80842b13b4b58c6e0faf339f4004b1ca5db3dca3c2e5e7563181bd816aaac5c697ebd8e6456b83b3a2c5f1b6e9c661f443cda3a9abfc979025d575397aa7e3ed

Download Submit