locky_lukitus | 117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-05-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe
Size

654KB
MD5

0b40a2fff66d3c7f728b2d0e9ae861a6
SHA1

91f89d87f92ba4f96d16a96c35e56e039adf6979
SHA256

117da274f4076bdd7f3aa6e6b1d96c44100ccaef59194202fc166ee5f4be78b2
SHA512

dec02943bb4dfae04c0fcce7cb644aa60277f33cd4747270b4a2d3feb5ca53cf6a5d037eb618bc4c27e3ea266089a2fa8b0ae1fb68f9180fb9b4a15522834c5a
SSDEEP

12288:yz9jX9Eh/41Vfbtp/nZOKwXui/07zrwIOxbvnFbhs68/NimxAOWD:yz9jX9EhifbtpPZ+5/0jwIOBnqFJHWD

Score

10^/10

locky_lukitus persistence ransomware

Malware Config

Signatures

Locky (Lukitus variant)
Variant of the Locky ransomware seen in the wild since late 2017.
ransomware locky_lukitus
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2452 cmd.exe

pid	process
2452	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\opt321 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe"	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\lukitus.bmp"	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2308 vssadmin.exe

pid	process
2308	vssadmin.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\WallpaperStyle = "0"	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\TileWallpaper = "0"	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e0000000002000000000010660000000100002000000059fe00a11358fb66e15a77ecca8a77cf3782c8bbfe83bb9f245c9f4807becdfb000000000e8000000002000020000000b630f54a7328d6b682763069ff0da912c8c0bcd0e19c04fa9e6b71ccde2c865420000000707e560c60687e371ebd32417815ffbd5c88ad8ec2ed8138c04df3dcbf91dfdb400000005b220e564819c4add045bf92d6275f6326295eb4907666736be09b3cf9dcf70554baab1f9372b314c322b1ef048365662f59d3b9f6e2d554cf8af5e50e563b09	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 301d6a04909bda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2FF02C11-0783-11EF-822E-56D57A935C49} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420706417"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000dc45eda9c3fb8da30ca03e4be8d25510339f84596ff1456eca82f1f59fbe88cd000000000e8000000002000020000000774cdb9c14cac491cb3c2e20dff6083b80ef7b99b4ea29e13806a6eff2bec17790000000042ca583ddd0d1b0c2e18219b3a833310bad9e4ada62f01a18fbe64824688ec2ea55888da5295b94acea59a51b811af53ea845aef9abbc1ec31c50e0c8cb926ec8aa307270314869942de6a99ac42ac4be222d0dbcd2ecd313497d8cdc1ae7594b3801d0c7f9d0a0d7000e1f02712ad177b3cc64e9e7f0189ec19036cc5c047eaf5a9fa3f7e7b07caca09fd95f078fbd4000000097b3112f94d993c92caf1a0f98bf83b7ac936a2f1300e5ddb8c53139e7f70756d5e41cc933df5ce29a00e7972f5c2fff20db27eb8f445f6db26f0663e11cb9b0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 2692 vssvc.exe
Token: SeRestorePrivilege 2692 vssvc.exe
Token: SeAuditPrivilege 2692 vssvc.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeDllHost.exe

pid process

2172 iexplore.exe
2840 DllHost.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2172 iexplore.exe
2172 iexplore.exe
1956 IEXPLORE.EXE
1956 IEXPLORE.EXE

description	pid	process
Token: SeBackupPrivilege	2692	vssvc.exe
Token: SeRestorePrivilege	2692	vssvc.exe
Token: SeAuditPrivilege	2692	vssvc.exe

pid	process
2172	iexplore.exe
2840	DllHost.exe

pid	process
2172	iexplore.exe
2172	iexplore.exe
1956	IEXPLORE.EXE
1956	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

taskeng.exe0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exeiexplore.exe

description	pid	process	target process
PID 2560 wrote to memory of 2308	2560	taskeng.exe	vssadmin.exe
PID 2560 wrote to memory of 2308	2560	taskeng.exe	vssadmin.exe
PID 2560 wrote to memory of 2308	2560	taskeng.exe	vssadmin.exe
PID 1676 wrote to memory of 2172	1676	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe	iexplore.exe
PID 1676 wrote to memory of 2172	1676	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe	iexplore.exe
PID 1676 wrote to memory of 2172	1676	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe	iexplore.exe
PID 1676 wrote to memory of 2172	1676	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe	iexplore.exe
PID 2172 wrote to memory of 1956	2172	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 1956	2172	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 1956	2172	iexplore.exe	IEXPLORE.EXE
PID 2172 wrote to memory of 1956	2172	iexplore.exe	IEXPLORE.EXE
PID 1676 wrote to memory of 2452	1676	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe	cmd.exe
PID 1676 wrote to memory of 2452	1676	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe	cmd.exe
PID 1676 wrote to memory of 2452	1676	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe	cmd.exe
PID 1676 wrote to memory of 2452	1676	0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\lukitus.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2172 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1956
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\0b40a2fff66d3c7f728b2d0e9ae861a6_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  PID:2452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\taskeng.exe
taskeng.exe {DBD6A719-F958-475D-AA43-5793770ABBC9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Windows\system32\vssadmin.exe
  C:\Windows\system32\vssadmin.exe Delete Shadows /Quiet /All
  2⤵
  - Interacts with shadow copies
  PID:2308

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c04e1468440b9c7d4c6e2cc7429952e5

SHA1
abc6ad646f005ed8db0c98930b02b9a44c456b04

SHA256
5dcf6fcd526710fe153f9f7bf1e88eb511b62ea4c1c6be43e6e9812de4dcf340

SHA512
a2386a7c9aa3d9827fd9b3f6c5ffc400531ee20c917e2c2747b056ce54bca60893fd7a002a152ff7f6b644be211a1f672968d1227b35e640ae31c757898bb08b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d85368d73dfbea13dca08b1562389cf2

SHA1
5877c22426e86275dd065264d3df33f001612a85

SHA256
4b7f089d80ad7d048827f490103c8249143963713bd5a3d99e7d0178bf13eb89

SHA512
bf051883d2c60e489ac2050c74bf66d06b9e6dfc2266fe15c5221f60c56b499ed91a4650b8d772c40b073b3a5c180958aeb48c6da9dc71bd753249ee36506faf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ab4289d082f7088b507ac07ecdc7c0ee

SHA1
9e06e42f290a9892e81a3b0c2c3b2fd9cda957a5

SHA256
85ae7baa434f46306cf87c563d24c57fd5fdffd5a8eee47c1031731103adaa88

SHA512
ff7e6c0aff432a5df91f1459e814ffad150bece66c64e064f626ed605badc432f9869d727b618c5a3f1ada5084d0a38425cf27763529b654f338a1b7773cd398

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
483269178036e4aaca82dab0323a1a2c

SHA1
665ee087c3f37dc615833c710f5d0cc622b31708

SHA256
dcdfd032f56a8f3e563bb94877f3f8aa52f18eb7b2decc520fb469baf5e97fa5

SHA512
55f80b7ddcbb9f95b21428b322c9db804b124cb90b637d4418131d12c8646d79fb4d11367735bcf543413a6d3b3d352150ece265b9db65bae5a2a2f4c38b3385

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
37c241ea269bd79298204ba455e4e4da

SHA1
312cb219f0fac8fc975b330531e9cc4d80fff0e6

SHA256
fd13737d1d785eebe3ee6eb998e1d2d6e1f2dc56448e3d6f34331e3f12b547b1

SHA512
9641ff5c4ce8dc4ceb639897d7b8b734d1430d13b627b5eef4f5ceb6eca3875c47a5b72e185f643288a22fadefd286c5d25e6d5cc69de3d22ab5e58f6e1f9bc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bda8f3b7993ee907cc74cb36bd97bc9

SHA1
2cd8bb9f55ff99703544e5af59a09200018267f3

SHA256
21d3d5a0ae446c06170561a70c5bcaccf308a73e26f03549f37a8f938ec102ab

SHA512
73416b024a5c762601668c0ef83e2440bd657ab27f257fb15d99c86f43a7db72983224fdbeb669d36ed8c53597869b9685c6ab4b9e4c63b9adc3530cfec0c327

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3e1f93598b01df3ad7ff988d0b8beb5e

SHA1
90ccfbda47d599404a912a9f5bb22b11b273eb79

SHA256
920475c563c9d90b01cb3227963ba83b4453441d114440667808c56d3a58c857

SHA512
b88dc13b63d50e054c076cae1e0a49138f542c7f8bf9c0842dd63ff372946df345f23b0198513cd52eb687f772ae4c3ae86127409867a6426936f74f2ea15c98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
122871743612722d2d84623461b8088f

SHA1
7384cc88a621129497d3b224583d7051eb0e927a

SHA256
a69a57f28df30000c0948b89acb83c724115e11c050112fb7a644eb26ebcbd6d

SHA512
2b0b27c55934899f57c672d1fa1385ac970272a5791c1bac3a0161def806c890fee96e566d65c503cb6e272b5f89b4ee7218f90695f5258e3711fe4f6549e4db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0892ffd7dd7bd004f76ad044e4f2f572

SHA1
edd43099d7b7f1033169299765bd3e5357b39b20

SHA256
afeeff6323cc1d5183d66b1e938bd231a34e12f9116bfdc8265267d19d4f5a63

SHA512
667ea16716f35d542a891c56c0c450cc3225e53f6db845b0292ccb09307c78440203f8a44e244cf0662e45bb7a5be99ed0f152451ab0f1b9aa4135392cc9a911

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c70e97bec562833cadec3feb15b32904

SHA1
6638a5b01c15fe398a24bd1c3faccd3810316be3

SHA256
f56093a20a935185f6fb71961f3bdad030c3a3b989133586afe56f201e077127

SHA512
ed2140ddbc6af8086848a94426a490f12a50ee91401e45110cb8c55dd1cacfd247b52e204629d9730fe0b084a54aa0c96eb3fd07d7863e6fab0bf2b1e7cfc2b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0b915c2fe77897b68aedf622a5cbe60e

SHA1
92c41b2fed35862cb9d4045c9fe29159a0b099aa

SHA256
def61b3fd17e70aab295c3cd06f4663cf6121fa34a947b23a6878f1ca34f6274

SHA512
1f6bdea67cc791df9c18b2eb7d84ba00d24085058aa18ab322b6e6948371ce678801a5de47931166f1698be562bcf9d355e99b1287b861878bfb04341bf78e49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3f8917d2d2196cd8fb86163f1ef79a6

SHA1
16425856ea30152b370a5896bc3cfb3416f78fdb

SHA256
e1cb4f468cc573ca12744f248e7daf832f4286183e790dbd4ef15a44ade35be5

SHA512
ced721028fbc46190fd56aa449d2febd407dc905cf4de1aea0b5407c4e6f1ae0259659ab1fce96f76e16ed421b1048878844d0f909fd1684c6d1c8f1a1fd7e79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bfb9768dfe56ea9ce0bd1080713e48d6

SHA1
e3fff430113d1ecfdd7189a0a279190379b7fe60

SHA256
5049b5eb8f1fa7ff61805127d64c8a474026bca900d6bb83997596412e1843da

SHA512
e310901551a746604771037fac63018dcd6c8846fb03c99b1fe904841d24c2829c4099bc8b615910dfc285cbf0a534a3673aca643c25fa98e441f935db9df18a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
187f6b44a230545026c76783e23a89bd

SHA1
b6bd3e7773111a7a6681afaa453ed05b443d891c

SHA256
94cd2c6f8acc01d7089d16da1ab9034c0924481c46c0c9b571190e0b164ae773

SHA512
4f2f619c845c865094223f59c1762126071988752ee7cca641366eee1ba1d8ec991be824b28e833f8449bf66b4aa012eefec39cd47c872103f5816a6fb3fe8b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
34acde244bf735b9b3b364b0deefbb74

SHA1
3fc62325840172f20fc7345e9359a9aa274cbcce

SHA256
85cc09b9f087a875d3fbba36edb8da1410b75fc3ef05ceceff6ee8f51b6afcc3

SHA512
39f85533ac010fa16327b0da2c1a3f9e4036437a6608da67dccc27660e8ab9cb3ef92b53bbe7a17ae7de15e22746eed4e26e770ce5d9774eb7616691797c24ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fbf8cf0463f606bbba75cd679220f353

SHA1
e3f705ac16b78d2775c9bb7d030a940abe83c7ad

SHA256
635fc0f358b2387b7b6a754370051fe302c573e90c0d4a90277366b79220559f

SHA512
704318482d804abf2b5c93290a6ed754d8140954b7ba00cbd2fe3d53d7b21bab9e16de6e152732dc6191b85f9290e38d0e444558add7d7d6abfeb9e76cae6fa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e44c42e7e719305662e8ba90f35e3bdb

SHA1
4441ef45cf2fe68ebb7501e7e5f1f7ba9f7cb1d5

SHA256
93583b70b308d7b79f878f2780ed8fb4a2aa1f5154069712ae53f945cace7162

SHA512
8b4a75f61ccc6adaa72844f52a59296bd60eaea9a6462646a3cd7009c5e94fe7897a0890b82ea07ffab77caba40d3a849f38247b3a669f62af33b9344ac50b1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b8e8e62ca7b5e0485218ab06cb6ba9d0

SHA1
4f49e1817ad9aa16c82dfd9ef12bb6a0f4676203

SHA256
03b0b8e13a44b7b1234d63e57069ed41231c8d9b2609d0905509d994c25fcf6c

SHA512
f19b70cedb6b239d1e8d4d846deec5c1f4d49f7156ee12358a3b202e84fb7444295580dcc0380ca7d9ff810dff5ef1324e1bf34c32836725780578264ee8b861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb28a8accfb5e8666b23144c6368727e

SHA1
40718e4fdce38228f709eed74734a8c3b94edc6e

SHA256
f71e1f59d96d71b39c31f1a3b5bfb8ca991655486bb0cbd711cdc2f1575fe6c0

SHA512
4c4bf22ae07e2954582bd47f7bc8e92c74ca594215a4ca1eb6beb13a53a5ac6dd125c198918602c5960b2f67a565a15995c786648b01a31f1485aa78fc235556

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6549c4f67dc5b0c70af9bd7276cd3b27

SHA1
def495c87f042a32da58d44c410381c3656117d5

SHA256
099ba844a7a94e97895349f804d4f81878ed4a7dfc911915d667de6a337a5dbe

SHA512
b233b7321cf71c2bd4cef1ae78cf596bd0bd749a1b2450b0d5f866e98d5a24b11df5d2c59b49fe36bc4665589148017221036815ba7a9f0d0347c62ddc9be775

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC93B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCA3C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\Desktop\lukitus.bmp

Filesize
3.8MB

MD5
6c417e7d684bb345e1982561f0013c3a

SHA1
2712a68d7b8e6ee094f3990d8e38edc0dcfae057

SHA256
9e9086ff9b6a7e4f23a390bece23bc5083d08c9ffbce4933d5dfa6394f19b7c5

SHA512
135b956e31191cf8a5d1019d1beec036aec6f07c2bb8de75bdbd536c381b67af8c3ba9094215b75f35a53085656096e36cec3f1f058eeb34b50d1455aba52466

Download Submit
C:\lukitus-fa07.htm

Filesize
8KB

MD5
af84496956ca337d2551861144d62dba

SHA1
57e156babae8bac500f9890fe3cc548c5c783392

SHA256
d280bdceb2c26a6e9cc5200f420dc9923a92f0fe3007afd32a7e9682991adc83

SHA512
06b6111a7d48e37b596b9a7f22faad1cdb7894f57872c1d4ecfb1af19f7ace168b9fbf1ff42716ff549b343317699c3241d10321b609ddcdc302c11170478b59

Download Submit
memory/1676-0-0x00000000050E0000-0x00000000050F1000-memory.dmp

Filesize
68KB

Download
memory/1676-5-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1676-270-0x0000000002C60000-0x0000000002C62000-memory.dmp

Filesize
8KB

Download
memory/1676-273-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1676-6-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1676-3-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1676-4-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2840-271-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download