951de2f2ef6ef03bae8f1ffeac78ebc57e30733fb6a30bf497a4fcaa74207f62

Analysis

max time kernel
132s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
Size

214KB
MD5

e9ece9135a941179e36a8f68fa991354
SHA1

34d3e674490d0c67320b4aa424cc3ab858cdc4e6
SHA256

951de2f2ef6ef03bae8f1ffeac78ebc57e30733fb6a30bf497a4fcaa74207f62
SHA512

8ff604ea4264e042bfa4ead6b4a417c17e6307ee8eea548e1378692dd49f5fc50cd90451f858a44eaccf5c61917e7dbcb2d22df87c52db43aafcd06d8f6606ae
SSDEEP

6144:Om6UslDnNkpXlNfNxMajphbo5Mmf6/cU9VP6m/Flh:OmDsl5vZyFh

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2748	wmpscfgs.exe
2604	wmpscfgs.exe
2808	wmpscfgs.exe
2028	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
2748	wmpscfgs.exe
2748	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\259414109.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
File created	C:\Program Files (x86)\259414124.dat	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000509df4d93a6b2b29dfabc7f7663188931eb037a872459f9c9c50c803dd590ca3000000000e8000000002000020000000f7ce2005a4ef247cb30f33d7f62ebb9d8445a0fc19ea801c7560b7364495feb4900000002cb6e448e3a809784cfbfca1b533b1f24b7d8f408391f57c21a36e58263152cc061c860b76fb92dd6004a4acda4ec382b94c5bf53d2623719246f72bebd2bc012c8ca25e80ee8edda6d37ff409a5124c961fb333454c80c4875c6b8b6c6f12efc92c25f27c27905435384029cedc4b19ccdaa14706dae2083790585e8f0de408536cd7be273ae95190cf20d49f9dc69240000000e159665ff71e6a026c11e174c7320f3d089e4e4b83a1ac0aa2187e61791491d5f823191a9fc5610e40bd2852fbb1aaeb2d08a79fa34ce784ced95062fc951d4d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B799DAD1-F667-11EE-A5A1-E299A69EE862} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000058d27011fda19770d38ee167ed583a2b744d7a061028a4fcb999fe92940e4c7000000000e8000000002000020000000d7b7526488fcc0535b515e1385d2bf3476d3473e22c0fd918c2e65846e808c2620000000835b59c35368e08f4bbb137ff95abf033745bc737123f622e51e2dc8b098ae3240000000510f9dbe146710c1e3b9536f4608f65657a6a93662c5ada2906e9f435a7dd8ae790b3d968b4fa955e1855b9352426779bb91ae63ee0b6584f866c2e46ac5fda2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418825449"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f3f581748ada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
2748	wmpscfgs.exe
2748	wmpscfgs.exe
2604	wmpscfgs.exe
2604	wmpscfgs.exe
2808	wmpscfgs.exe
2028	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
Token: SeDebugPrivilege	2748	wmpscfgs.exe
Token: SeDebugPrivilege	2604	wmpscfgs.exe
Token: SeDebugPrivilege	2808	wmpscfgs.exe
Token: SeDebugPrivilege	2028	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2508	iexplore.exe
2508	iexplore.exe
2508	iexplore.exe
2508	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2508	iexplore.exe
2508	iexplore.exe
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2508	iexplore.exe
2508	iexplore.exe
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2508	iexplore.exe
2508	iexplore.exe
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE
2508	iexplore.exe
2508	iexplore.exe
2956	IEXPLORE.EXE
2956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2748	2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2748	2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2748	2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2748	2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe	28
PID 2120 wrote to memory of 2604	2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2604	2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2604	2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe	29
PID 2120 wrote to memory of 2604	2120	e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe	29
PID 2508 wrote to memory of 2956	2508	iexplore.exe	32
PID 2508 wrote to memory of 2956	2508	iexplore.exe	32
PID 2508 wrote to memory of 2956	2508	iexplore.exe	32
PID 2508 wrote to memory of 2956	2508	iexplore.exe	32
PID 2748 wrote to memory of 2808	2748	wmpscfgs.exe	33
PID 2748 wrote to memory of 2808	2748	wmpscfgs.exe	33
PID 2748 wrote to memory of 2808	2748	wmpscfgs.exe	33
PID 2748 wrote to memory of 2808	2748	wmpscfgs.exe	33
PID 2748 wrote to memory of 2028	2748	wmpscfgs.exe	34
PID 2748 wrote to memory of 2028	2748	wmpscfgs.exe	34
PID 2748 wrote to memory of 2028	2748	wmpscfgs.exe	34
PID 2748 wrote to memory of 2028	2748	wmpscfgs.exe	34
PID 2508 wrote to memory of 2044	2508	iexplore.exe	35
PID 2508 wrote to memory of 2044	2508	iexplore.exe	35
PID 2508 wrote to memory of 2044	2508	iexplore.exe	35
PID 2508 wrote to memory of 2044	2508	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e9ece9135a941179e36a8f68fa991354_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2956
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2508 CREDAT:799749 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d4727e0155ab9141bc93e76b747378e

SHA1
26788e6b6ab66578bec709a7278e5ecd1d65f9c3

SHA256
841333b1d1c1136e5782588705fb10068c462def8bb1de1ff499da8695f79820

SHA512
6c43fa98b7c3a1b7e092cabe6464b6f9863f5e9b9abc8f6d0dbbbd9c91f6a288d693e8ca325988383bc4c5d401e9aa059b9c659acddbbae3a1b96bbdeb8c5273

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70ee95063c0499554844f22755abd912

SHA1
8e281cd45fe3478bc37c731af0aeff837929268d

SHA256
cda0b659f187ec3f78db4d78c91d4bd9a511a07d2f6b7b8ec1f7bd84a2e15891

SHA512
e851218eeee82892cb2a5255eeb1243c7b4cc58ca7cf35c3dcd6ae2e8954c3fb4b894cc22e0cee2fc95863277cf4ea8255594dfaf40b13d67d8cae4d45986947

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
037040a2f68e98c460f43668f96377f6

SHA1
bdf2d3044371fe97278507d8f7019b1a2883569b

SHA256
0b686b7b1d8c458098721f28de8368dc39b1e6cb9c9390099b35f271731a2c56

SHA512
58b4dd8b8c6c6495a98d66a9e409cee0bdbce2fe86975f92278c0c35252631dfb5c76880e6a32cc34cb794004c1a6097ed88b0cdce5d5c02ef9939b6bc578b9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98f8f51e3e8b49977309c0c230e310cc

SHA1
62d19b265ce09a97658fd97d9ef44e5420a40e29

SHA256
3e8b71672d2b28b1b183e02aeed31e2afc272977ed74a47f5dac158904a963cb

SHA512
9005ab0fa6692fd4399c0a78e9f65cdfa3e32f27704c1a6beaac733be60e57f5f3c93b708e90f2b8060e0476192be638eac5f6f5d841185522a87dca21130e90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0ea8faadcdfd0b69887c01645f2f583

SHA1
7b5c37a882b06ffddc57a899909073695693b38a

SHA256
a2b55a3d7213ee6e2829b2be74c60bde02f171a6185a301553b223532e6c0747

SHA512
7c49539d28053520681f14a7506bc1ee5fa0fe8ec9040ba95af76dfd7accd3002f26120c1736babd6ead97ab1ab54ebbd4b9155a4c76bcf9b0d74ac631c60cbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21c122b6e76b286a2fc1e1c658d98759

SHA1
935d23b8eea03cb488e6159b104a165c658e9556

SHA256
43cc511406562cb24e67ad29ac36c36e6b72f130dcf603d49dac7c6c602d7ff8

SHA512
82f7584c9b6d25f38b8d6963dcce8148976f1139abdc3a688719b8819e7f2a4445ea8f9395a4507d3446203bbc262eef1c63ba4e35796cdd862aeab49e417c10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
388d32853f34fe5596ed696b9c68fdcd

SHA1
2f879a63a2c37761acf22a55054c5f4c2fa89673

SHA256
0f723e5e28ba516d3a374e8a8910a504438d0e2522ac35d1ef7e2a2ef4c0966f

SHA512
44673c949d4d98375992973f360aa2069609f7b565756bc2db2e859bbfb2946cb50951fcf611670860f2a3a386ea47565afcb35523e8717b1bbed53003cad925

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fc6d4dffc8d36155381ca00e8467428c

SHA1
07c0eedc5518c971c468f2eea460962bc826ffaa

SHA256
16746119f1b2c80fcc8e2330a99c5f1754cd22198de1a9e1a33138a516ce816f

SHA512
226423c9d1eed5ae9a5c6ce3c63db72265301ca82fcb69f1ec4d2e9c53b4ca4f5e9c3d33b5acd18eedade518ee90afeb3c9b14ad88ee244cb558696995460920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95b647c484b5a4188c770bec9e111b16

SHA1
4fb18d113ed54b7e067a2197a59e59cfba3c3070

SHA256
d5862489dc21d84cc5380a3ac33a820c35e55d12664a77d965bdcbf236825ee4

SHA512
c723577f6f2d7a38ae6594ca5d00215f8857804114b5d521257822d1b749dbc1e7e424cbcbe90c31f190c459a8beb403d94d94cedfd2ad46a2ea93446d136839

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b5af4aa4804f66c3e5f07f07421103e6

SHA1
15e139f2ee59bce19655de43c9832b0e60df40d4

SHA256
78bf7bb7197559f30e5fe3f7dbff83bad18a4f81d3a949461529c9d5c7fdd252

SHA512
14052845b0d14aa58b59d7143798e5f0e66b101484c2223010abdbeb9d82d4a330f37bf8f2a8b1d06b3930d5cd4c1dc04bdecc36eeb7c807930cbf8fd2d4e8b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b1b8689cdcc0a8d89e13ea658f404a81

SHA1
ff1915f1a48da3592e5a723745561d2f85b2c4f5

SHA256
c75fa8b31bf6f993fd9d7ff233ab74e7f4d50f2537a619c7edf4392dbd57d700

SHA512
2621786e3eddf0caa0fb205e43c0b8f10d2f729d7f8ff860f79a2d26f13283e512e327c85942aa3af4a2ca09f17595c2477e9f17b387bdd81b5e77e1b31a6e7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9e2cb8d114bef401cc21a625dd2a66b

SHA1
651d0f07bbb30083c363debb8be35f960b9b8c8b

SHA256
895b30719ad4c119d0887ac4ecd67d636c503098a85e9498ce9d3339f5caa4a4

SHA512
2a5f60823e7f0b5674b5a373d5ec7b4e0fb197220eb5c16ed20f0d15f3d9a0a9c90a2aa6f1175040e9725412a2febccfa3a6346eee453efb8e6f97004180c70e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
55efa092a76059faf9712b177cdbb70e

SHA1
ca7a06f5b3a697f87c47523e0d9b199691587b34

SHA256
d72a7578c9baaee78ab51804ebba1509b23a43be641b390b18074ff081ee347b

SHA512
0a2d38eb45e32b4aee2dcca75625d78aacd1836b8f67e1602501b09d66b4dc1afe494194eb11a236dadf028380e2401f875c812fcb15abba80d2e783ff0b47b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a40269ac15c349e1a4029110c922f64

SHA1
1238da9bb6d745a199cd69f8b5052582bff8a4c0

SHA256
4fbd0314d0f730752cdb3959b533e8e72d6a939ff714853b49ca2ec93952f208

SHA512
824d6000777a5eb67eeffb238e5ba20adaca9eb8a6dd24a5c2e7c76f727ff09e18f6b62c5daa1815aa07c0caf43b5e085c3e094ec370dc256dbfa2515ef9e930

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0aac4861a9852e2cb246f443bd1184b4

SHA1
ee7530752d739fca6458c3b885de040b084bc92c

SHA256
6b4bb2825da95f56881f38fa9474f6659757a7bda7411d33ffe3732c2a4de557

SHA512
2710bd99580c7bc9a03dde6a3b6d81c727a11d0e94bba8474d9a794671178c1bf1a9a21d44257797e13f29bf1d444c7d0419223164826d7716b67f6e1a586ec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e266189392f2157c8a2c2902251067e6

SHA1
abaeb4131669f2803182cb20105f2b29eddcb67b

SHA256
3c54c1d86c356a590ac6089a33ec95d8f410e28b8ef3448c6517e936f6ad2395

SHA512
3e37d961271e8a6daaf2329941b6fd2afed62224c2c29adb51fce2172aebb4bb51db39061edf420a7937319068c537265b05506064460449cc00203ee9209dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd4eea96d471f7717b2847a651b92193

SHA1
b3b1ddec68b5c1cfb667b9b372ce9959b068d480

SHA256
6fdc89f86f37b9634c1a5b7c75789fba9142327d1680272da17df90c80cf9379

SHA512
755d237a750f9e21941eca60a7f25a8c4c241799cd3dbabab73ad1f999153934ab9d77f546e70057d71ccb7279744ae13b8ada748c35e02d764edf95fd0cca2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c191fa3a34d6d29ac2916bea0534cae6

SHA1
f18980b61ba6cd0e18d2c78be4e1af9c05ec823b

SHA256
996bc4cdf5788d8efe8c5555176c91bb43a5bffc7126db9f786272ad23e19d19

SHA512
41874116fefb538e4b70072258ec9a261ae2183c6f220e0b06b89a8a6ccf1676f7c3fcdd0af395a6a8afa21fad8740f66d332020d3249c44479b69b1d59be26d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2034a8c7ee616f9bf9b8af44e932acca

SHA1
68fcb21347eeb451043f61c0386c42bab1d43e7f

SHA256
08cfccc928c6431c0557fb9a5aa69732179750dba62c2888b7f80974c9c8cab7

SHA512
91bb7dff064dae66cd6b64cf16533c3ea58f6fcecb6544098beebe525b30f117d9c11dde8ff427b8d233f347dd43cc662b67b2a2f6f341c5067c59a53ace86d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7439.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab84CE.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar84E3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
216KB

MD5
9af042577b86e201354da6c1f842642c

SHA1
ff8381d9417c4db8cb2cd1a707b0ea6fcb311822

SHA256
4e33020d6d156c8d307327e4a609e6362871a522ad4cb56efb89bd00b5afc589

SHA512
19f0d61c6addfa65180cb0998b824d77f1f5f0d4b36c70e2dffdc52d00e6b56edf545f0e042a2c7d6b22ce2b3d569b99f5fad23d9d35b3c5aa268b63dac92195

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFC0C42FAFCEF9C13B.TMP

Filesize
16KB

MD5
90e297a99f7c4359bab6c1746f29576a

SHA1
2ed2183597e1a49c82c34be58127c07ade230222

SHA256
1dda58d52707b89590d5291c2effffd590008a095daf369ae36a86bdaa35447a

SHA512
01601f9d64e6b45f346c9e6ffd3793f2e14dbb467c50f5f3d86c3ec2e8744378267e8152e7c1e2ae97e94e92e7e47dd11f7e69e120e8a53fcfeee00400819fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3715KZZ1.txt

Filesize
107B

MD5
5760e477b9144ac3d11dc21a24134772

SHA1
0ac3bfaa1cb60a69c7f4751d20d0728d9c3f9532

SHA256
3dc8fe489877a4a27e98e5b07a39118814145e09e55c51063efdcf659f923496

SHA512
7fb6cdbcc939b7dcfba49d9117ce14a5a8c0059a0f4b0312a7fe4b2bf7e971ef2b8a5d5098f167a759dab727fc1ebd8c6e488a8583648513de815a045bd1e0d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20S0HYWYR0B4VAFF306V.temp

Filesize
3KB

MD5
6c83af4501dc4f12b493f596308aabc0

SHA1
1acc0bafcfd02fe724e54a645041b24d56f6d67b

SHA256
faf2f97cfcccd30179c07a0cf63443b4c66cae919af2eb2a2df6052d9fb9df60

SHA512
ca7de122b29f9ec177831a686d1119d023d6c36e8bddd921dcb567ad92fca73fe492d0a81f2a647c8d12393876cd7ce8e8646dc6364308186c3ebe804ecd07b1

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
240KB

MD5
fe16b8fdb431c0885edaf601445b8f3d

SHA1
33d80f0e35385e94b8498479e6d11aa998c02fa8

SHA256
3ed4e8bc68fc7cad2d2938cdac9e527ce61571616301886d3faf684a820e1a1f

SHA512
8f247eea49bb5322dd11920f5191f82f5530a13b4675c9202494a7186f23551a39caba2b171a23f25447a368a5457dcd64b970b6e08c99b7540c8952cb69bff8

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
240KB

MD5
dbc80e2f0676b8e2b9b0faacd4b64f72

SHA1
9eac01a65e6a70235dec67ae742afa9116c78bdb

SHA256
159319183556f345a9a593f44d7b9395d27246efb66e4d59c71f92ca8fe5e48e

SHA512
581457ebf24ef76cc7a67ef14764430bc0c79ebbe40f19e8449d8dccc0700585753f8e5fde2bfae7edd7bb06f27dddcf55e780257a610df4b0e771a9a030e21b

Download Submit
memory/2120-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2604-35-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2748-22-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2748-50-0x0000000000510000-0x0000000000512000-memory.dmp

Filesize
8KB

Download