f1741ebea4fc619b1d5bf3777918e1ed8003cfd04d288bc0af5b4ac2d8d2fc1e

Analysis

max time kernel
123s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-05-2024 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
Size

1.5MB
MD5

114fdd33396da68a0d2c01031e3fff64
SHA1

14e9561ee743a4ab2bfc6c6ada9d075ab33d2ddb
SHA256

f1741ebea4fc619b1d5bf3777918e1ed8003cfd04d288bc0af5b4ac2d8d2fc1e
SHA512

1877bff7572b13782cb4d622f7e9dc14f800e2040ec537ce55d29960f0cfc72f511952438c428758d5c2f3b3eaab72dd0e1a035df09c55b62e7208fc0fa9ac11
SSDEEP

24576:OmUxlIUzbjKjOvUYhoxs+lM6Q1zAs1ZLuTdRZc:Efb+jQoxsw1+vLCFc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1344	wmpscfgs.exe
2608	wmpscfgs.exe
2864	wmpscfgs.exe
2840	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
1344	wmpscfgs.exe
1344	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\adobe\acrotray.exe	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
File created	C:\Program Files (x86)\259421457.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
File created	C:\Program Files (x86)\259421644.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e000000000200000000001066000000010000200000004a8866371fe92d518ae10331bcff2c4cf2f529349e35de1b208666ab8e27c0a3000000000e800000000200002000000023fcdf34335c4493b23685f4143eca4ab26905537d81e2b395e21f55003c285720000000cb5671ada7cb691afabe6f54f5fbd0e23b7d06c6a4e38350f9ae3f3a0b63d2bf400000002f05971c6c0487c3eaef25f25adb840f08f27759e586ca22a570ed2a17fad6e51f7d3cef7536249e3a13a77ce838c804b0ac4165ac3b76d645811c9734b01558	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420953515"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{81AB7691-09C2-11EF-8303-EAAAC4CFEF2E} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90455446cf9dda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000d3c01cd2b357f0d327f5af45b0ad710d9ccd1e405923cea056fc5039f6aa2013000000000e8000000002000020000000a28af7124a6d63046b6433deaf7ef11933083fce4fd0ad22c63fc3ac027f023f900000002efc500d4d761d3034b95c3e21f13693eab8060de38ca7301076f9eae3d7d98efd6af3165878f1f64de378a8b772e3262341d81dc451efbfaeaa2b509f7cadb386a366d011ff2317567c75229110a41c3b2d6cab971a4b96206026852d54ac9798ebc5097ebd7c5704228ab4eebce26934bfb1ed9af31fc4fa3b4f6e86209f37bfb404f9406888b9bc8eca94139b521840000000d5257d616f7131a2e0ee111d0cdd994a32b4e8eaa0e89d708c8f76b68deddd5a080336a0d1c99decac35d2febec9fdb02041327bd703025f47ce7221a8681816	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
1344	wmpscfgs.exe
1344	wmpscfgs.exe
2608	wmpscfgs.exe
2608	wmpscfgs.exe
2840	wmpscfgs.exe
2864	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
Token: SeDebugPrivilege	1344	wmpscfgs.exe
Token: SeDebugPrivilege	2608	wmpscfgs.exe
Token: SeDebugPrivilege	2840	wmpscfgs.exe
Token: SeDebugPrivilege	2864	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2668	iexplore.exe
2668	iexplore.exe
2668	iexplore.exe
2668	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2668	iexplore.exe
2668	iexplore.exe
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2668	iexplore.exe
2668	iexplore.exe
1932	IEXPLORE.EXE
1932	IEXPLORE.EXE
2668	iexplore.exe
2668	iexplore.exe
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE
2668	iexplore.exe
2668	iexplore.exe
2436	IEXPLORE.EXE
2436	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 1344	2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe	28
PID 2224 wrote to memory of 1344	2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe	28
PID 2224 wrote to memory of 1344	2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe	28
PID 2224 wrote to memory of 1344	2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2608	2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2608	2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2608	2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe	29
PID 2224 wrote to memory of 2608	2224	114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe	29
PID 2668 wrote to memory of 2436	2668	iexplore.exe	32
PID 2668 wrote to memory of 2436	2668	iexplore.exe	32
PID 2668 wrote to memory of 2436	2668	iexplore.exe	32
PID 2668 wrote to memory of 2436	2668	iexplore.exe	32
PID 1344 wrote to memory of 2840	1344	wmpscfgs.exe	33
PID 1344 wrote to memory of 2840	1344	wmpscfgs.exe	33
PID 1344 wrote to memory of 2840	1344	wmpscfgs.exe	33
PID 1344 wrote to memory of 2840	1344	wmpscfgs.exe	33
PID 1344 wrote to memory of 2864	1344	wmpscfgs.exe	34
PID 1344 wrote to memory of 2864	1344	wmpscfgs.exe	34
PID 1344 wrote to memory of 2864	1344	wmpscfgs.exe	34
PID 1344 wrote to memory of 2864	1344	wmpscfgs.exe	34
PID 2668 wrote to memory of 1932	2668	iexplore.exe	35
PID 2668 wrote to memory of 1932	2668	iexplore.exe	35
PID 2668 wrote to memory of 1932	2668	iexplore.exe	35
PID 2668 wrote to memory of 1932	2668	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\114fdd33396da68a0d2c01031e3fff64_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1344
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2436
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275463 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
63935061eebb8af4cf2cdb2ac190fb53

SHA1
643a5d7187cfb26c5c0a2ffee5fbaa18031bf18a

SHA256
906e3f0b69a1699411f255e0356ed93a9e0e6fb5da824dfb745348bf34f4ad73

SHA512
d561f6f880405eeac547681f49f0eb45407e7dd5ed2ebfef899f53bafc64c878f09865823d6f21fdf653e37f1b4bb17dd069aec714fca847a8ae19fdb50a4612

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
601b04ce5120858d71d917b7e5eea9d8

SHA1
be282f46047b280556b03d8c64b695ba3039cbcd

SHA256
d6c56190c11e41bf6531de17330c4e8f297e683e92c46f9b710bf62be8319e37

SHA512
ed4ae845fce078b8350312ad2ef6460ec7ec14cb58c007b299432773bd96fdad3d4607c7327e20a5c6070f97492c73258a093d59dd9e9cf76d70fd45fa55670c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a392c188e897965c14a888119f336e69

SHA1
3c78bf80bddb8cb4069b04e2183a063223165393

SHA256
0f695e04a112048c9b295a4ced19b234221e86a37372854387ffe295e4fd4406

SHA512
6eeeab1c662ca6c7e0a801027ac97290ab4efc8e9f429e85cf9d1592adfc833f929d8bfdfa5d301ce171870090f81a9d3817ff8d3036b1078aeb662bcd9df856

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f51fcf148e0a4c872bdd4334443ac626

SHA1
3f1584135f4cbcbfdbdc37f463baeaee39715bce

SHA256
fd428a6514b51c9fdec684e97e539c2499c0bf01b63a2a9d6fe685bb85b7185d

SHA512
5b32f99da983342a076c95760e2d7f953b4b14ee4c96a5fa95a7560ff38195de38f1dadc330c44fc0fd27f832c3eb872cf713a90066ec6b4e25e6926079517f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd7c983a2d46ee03810292abba28164c

SHA1
9c878de43ffae488a32ba059af7ad2e825e20a0b

SHA256
a17af731a40171c7771901359eaf04f9c19438d790df8bdf1c517b72b2d01919

SHA512
da27cff4541869241e6e7a04c852c782fc6aad21e9592d4399e54aa032f8163b226533fcbfaf4f27b2b6451edd236a7c0f93101a94de9a95773fd3eeaad9377d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9fb7bf9e9f9090d7a69339bdb625b326

SHA1
9b03a60e0aca2fb567c2a1c521dc79dd02d36a2d

SHA256
d9d98ae064de339d9e7e17c7899769b918a1007c72347e9a4be3a533edf2516a

SHA512
ba6132cb5ce0d9bdf71dcc899a526f09fa4c299028ae49ce537e973b9cd09cc399a6bb9c318fbb0980f3e3cb6344399f4b749d37e45a3f57992fbb3de7003626

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e98c8e8dd04cc91844a9e202dbe440a

SHA1
0a76be452f5a8ed4f994cc0247556935faaa089c

SHA256
1f28dc58ec4f218b2f497221a931bc4acce798017d5562e62a4b7b75913c1a21

SHA512
7be790fb4b4561b24037ffeed8dfa8de252ab0c53b6959d4450b16c401af0f0f076393694368e920426913a778cfcc89d59c842cc4a65259e3872b6e4001bfd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9c82e5d7629192323864eacea07e07b

SHA1
e745cd5311f0efb1a5163c8e1ba393044fab7106

SHA256
a465e0b028c0b1407c3d664168f359be021685c1e1f6268647dc03214c659bd6

SHA512
c061a27edcc0934b6c063a87d896a28629b940d0a606df4d1dbd6ce2fd3d12456280bece86a2fbd52f694d4eb91acaa39340ca75cf31c9e46bf8f2b8b03751ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac853c818f8ffab669f4bf6e2cdb7ba4

SHA1
bf6c6f34ce666c84f246f76847d4d10346a76d94

SHA256
b87d2ea34b231a940fcbb8ac26c7c51979bd707b3215ebef9ec271855cce787b

SHA512
4c93988482b5000b502062ea39e984371a5d810a0519c687b87f01c78c5d50626641cd205b4b17fe23e4bcff7a2a7fda48e1792bf9940eb3fd718b4956008520

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
072f611a12565c0b19b92255128b122a

SHA1
479161e6842a011320c62ccd9dd13ca58045e4d8

SHA256
e10c819814a99c5b14ed4e132e2fd38df05f955f088dfbcfa4ad5cd6148cfccd

SHA512
7ae79759ea71734069ec7aa577098a2aa875076bc8af657e3c1ed639ae496936a3e1f0ca641f93cc3de09c12586f99662dfc2f781dd0df4bf4aa83d0823cb1a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e26215fa9e1d34e30f5a1102c5039f5e

SHA1
db180a700766a47bed573dc73b7253993261377f

SHA256
f362928403c80f8bd710402bba190774dfe0f07d45371e68dc57a58ea2439b3f

SHA512
8e152c650b396665c8a933b013cb4398eb2ca00f80d9c631dcb123b517ecd280d55d06131438c57e309d1dc8ef41738f10fbdcbb8131af338e13948e40166073

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
20ff33177d515edb7447666843952d1f

SHA1
02815ee5ca4bc90f8b0f54fb3e934a510b440fb6

SHA256
2c128b1352ebf4e5b3e89ef9fb0316f60deb680ffddb23bf94e3d23a57a675fc

SHA512
99faeec4ff2a549caf109c78162b25385638f6afbfcb3a48c2c1fbceebd1709a3653ae377f4b38c0ab4238a48253d4019c7486ecfaef45c607fc20c3b43f4e77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b1e44e8bb86e54e2700c6035d5c2296

SHA1
7db4deed9242fcece33babca6261d825e975ad32

SHA256
690b356999335c53ed4133be2fe3e368fd97d8b03e45e3326999ef142a001e1f

SHA512
321eac29d242a8fa48ed13275ed1ccce7ad588f858dc8d57c21cb12054f02b96c748249f78ca35f38fd264afd56d2f48bc0e8215dd27095ac242ef4f0c3244f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
799f2a77e5287515a4e1dbc3906a8f1f

SHA1
e883a578906be00cc069170542de23eecdecb1e5

SHA256
767a62619a601a93a7c0f4bd15594c330f011d6ce2dd83ba155a739ccc1111df

SHA512
4c10412f62511d9f3f4d85211f1bf4d6ec4908669bba8fd9129d83329c310da0c244cbd64c65ecd98246a37a77c7cca91da000e942c5ee13bd5b3ee964700bc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d1f8408b4ef4f99db0ca2bdb9801b56

SHA1
35e7955a4f8e6a0744064807185f98f15e650646

SHA256
1313b41ed4dee09fba14e10cb09a9756d097ef044c0501601de5f07fdfd65479

SHA512
5e7b3b00be2035a6b4065dfa9641c05c4a6cf4466de78f8c8cd59481dd449989927763dfd3adb553b0e86b12d96ece8cae753ccdf28a60af478a7dbd6c9039d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
084701247c0831498c25a6b93057cbfb

SHA1
313430fc8cbe5853cc4067d87e9b7067d7df04d4

SHA256
3a695d851ebc6a7be513af9a54d78e3a976ddf4e9ccafc547988a3c7f25e99da

SHA512
740435aab6ac22d9f527368772ef006506b5b0a2d4392beab824245602a2e733a933bba97c9b294fa12a80d4b43cd7da87477d13f004d9a71142a23f79065ef0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e235d61f1774a39a2ae17cf3d641e19f

SHA1
1390882c8e862d5ab49251aa4e4eb11012a0b859

SHA256
672fcf48915bad6842b34dd5102c26e2503bfa7250b818a9941b4fafe92be3f4

SHA512
31b1bd2f0cbbeadbeb0f2062c2139d13e15bb43bd1ad31eb360a0fded2db27bdce26c55f6eb241a880631dc23fd1510265c33d8d69da6b974e30cb922ebc5313

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8112008e366b4d080437071a77bc29dd

SHA1
14eeea85fe6df25e830308b835f0ed5debd2ffa8

SHA256
3a8a73aa03c4c2771ddd415112aea1f19213802c62c56eb32e05b710d254a280

SHA512
40809aedc1fe8465cddda011481c7b1850948822f5c2a240fcff2457ecf06c9beb075c47f04b5397e5b7a3d428eff3eef0f6b8f68f819c4ef4045849a8eb5e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\bHBWOiIjD[1].js

Filesize
32KB

MD5
f48baec69cc4dc0852d118259eff2d56

SHA1
e64c6e4423421da5b35700154810cb67160bc32b

SHA256
463d99ca5448f815a05b2d946ddae9eed3e21c335c0f4cfe7a16944e3512f76c

SHA512
06fdccb5d9536ab7c68355dbf49ac02ebccad5a4ea01cb62200fd67728a6d05c276403e588a5bdceacf5e671913fc65b63e8b92456ca5493dae5b5a70e4a8b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab934D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab942A.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar943E.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
1.5MB

MD5
031028a77328037c55f6def8ce0aaa2e

SHA1
148fa5a16831566e4a7b143a419cf2ecd7313bca

SHA256
528600dfb6847ca4658d4b4cebc22ecedadc400d15e24f0eb17e088b2b117a6e

SHA512
7ab9c2b6630504ca0c78452ffbbb065a52af1c5223c71f514cd75808e9ea70b4f1f0d6500c28b3ededf511651ce7eaad327038f1eadeb394e24935159933d7af

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF198BFF8A959839ED.TMP

Filesize
16KB

MD5
12582a4b660e321bbdc3b4d82940c1e6

SHA1
b6951b3a53a5698e8048479a87b46c0143e57d2b

SHA256
ab396674de98f8a7df3e32b25ec9d73702881a8a45bb86a8a0aac2ca2be0ef79

SHA512
2b8a336ccfe244f8169e93126abbd87431e36e7897dec0333271164bd67eab198dd87eacfb9fc51b73c154b023b28518e49337f1496ab2696dd6c216a78c1aa4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8F48MJ6K.txt

Filesize
123B

MD5
033813210561c2de2b42faaf73918bf6

SHA1
bf820314e94d506576429e3a815a0b0511e49a93

SHA256
553a04b5056eb3744839afe30ab3d59c7eb7211f8b398d4d06c07ff9e9386d47

SHA512
0a1da8dd5ccffad57ccb9082e7aecbd9ca476c3304c6692d7fb65e029d7b6043cf15d50c42b306ab25686ef8a774f24d4128e5a38e62e42a717abc3feb53bf8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TDNY5YD9.txt

Filesize
107B

MD5
7dd76b5747ffeb3ebdea5a093f2b03af

SHA1
ac98510507373bc74620719b206837a7ec9cd85c

SHA256
b546b70cd3210aaa0ae2947b8ebdf62f568cd99b22b3bbcd39f21d9fed46d963

SHA512
c3930641412955d445455c3e9d507eb9e6d5660dffeae97776b23f056e91750aa639f316fc7bbd454e49c32b9ba43cd73bbbef4d3478a103e86f49fee1d1ea04

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
1.5MB

MD5
dfc07612500fabe2a4212ea6a1a04e9e

SHA1
5cc333d98a24538651303e2620ee732fbd972915

SHA256
0918097a0d0e1cb5c786b755b2777b7b5ae9686159f65976be8196e0e3e7025e

SHA512
bddd0a935cee098f86b67a02dcdf68c21d62045a8cd281ff38acd2d46dcfaa05ae8a0d2e77c6ed3ed95131f170da6b845097667076270262878c83a566631e78

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
1.5MB

MD5
b08001b880fe162a74f875f9c081fabd

SHA1
f9cbbdde11ee04dac5c9a864dd99eadc82d0670e

SHA256
d1f509f30ce5c1e1c3e1a45d3619dad94e3b9c716d4bddfe20b35fbf6f603ea7

SHA512
31fb67c0ba75268eab6a5a0e30032760a6d6dd417b8162609d10df098f91ef9feb4d2fb168b5854530decf0773de9f108882f8089d9841bc29fbd408b1c633f5

Download Submit
memory/1344-23-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1344-57-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2224-1-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2608-35-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download