d2c37e690d3a80da2c84c5ed94c1b3aed693bb84faef5d9313166d5c040f5aa5

Analysis

max time kernel
130s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
Size

443KB
MD5

fdecad3c2a3ca19b4b200a17ed8442d9
SHA1

11a7002c35caab42e5558157a64722b2288bdef4
SHA256

d2c37e690d3a80da2c84c5ed94c1b3aed693bb84faef5d9313166d5c040f5aa5
SHA512

6ff2a817dc341f4189f92b67123a4b033488549e1cc4b04e35d69a8a8ac2ba595b6f56909e22668561758b19d296a8722339b4cdded8b5ec2893780940899ce8
SSDEEP

6144:MWmMUsluzAEtyzjpP/CJ+jFQwDEJH2DSz2cYdrKMiXSsVJMzDyqmZY8X:5mRslOAEGCAOS2xzSKMon

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1096	wmpscfgs.exe
2432	wmpscfgs.exe
2060	wmpscfgs.exe
1924	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
2432	wmpscfgs.exe
2432	wmpscfgs.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1084-0-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x0006000000018b42-8.dat	upx
behavioral1/memory/1084-15-0x0000000002750000-0x000000000278A000-memory.dmp	upx
behavioral1/files/0x00080000000155e2-24.dat	upx
behavioral1/memory/1084-25-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2432-26-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x000a00000001466c-37.dat	upx
behavioral1/files/0x000c000000014fe1-51.dat	upx
behavioral1/files/0x000a000000015364-53.dat	upx
behavioral1/memory/1096-60-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/files/0x00050000000193b0-73.dat	upx
behavioral1/memory/1924-74-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2432-64-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/2060-91-0x0000000000400000-0x000000000043A000-memory.dmp	upx
behavioral1/memory/1924-169-0x0000000000400000-0x000000000043A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
File created	C:\Program Files (x86)\259451861.dat	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
File created	C:\Program Files (x86)\259451877.dat	wmpscfgs.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a01f6a46609eda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000000c617ac16a4f1324d9deed894ba9ba0a755834c856fb76b7dae910fbf8079f20000000000e800000000200002000000042dd1a22e0f7518360b42f4843dc4a85c6da15944808e632701ae631bfe1262a90000000cd59737ab8bb849a2d0ca669877ccd546f2a75d2356ee84082cf005df300583f1519fc6bd20c6458e215e320246ff7a12d2b964bfb3005c607a86f8fab25bd9ace815949ab9cfc15a300ef144cab67dacf54337bd4b1f3154cf0c6f342ee5338f5f5b6fef70ce0f432008220b4cf6030d82b856dfcae2826f4ae7efa167528aa29ff5651b082330d12a6f8a0a15b4cd840000000aa432ef6d29c9567b91bb81f0d4a842f2cc927ae370397422847eadef4b6226213436edec8d6d6bd7f0679f37871a572b0dc89398c76c1850a4ca85435d680de	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000cd93ac17d88768b58907f7b06589d5ff523ba8fd2f5cb80dad21067d2dc6737c000000000e8000000002000020000000a4e4e5779b875cddc8641166ea97d4307dd8b4d344467b879a1f00fa900d756d20000000fef346b8a7e8c289a289656c65687f2a4d743552ee2a7cf8b4181f1a4158eac340000000d67d4a6f630a1fb4b2ee3b96e5df4e1b919c8b18759a3d25283fd3fec59d9ce28cef9928d8b74489065a21ff8b81207b57aeae926758cd3d923d99395c7de204	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421015790"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7FDB98E1-0A53-11EF-9C59-EAAAC4CFEF2E} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
2432	wmpscfgs.exe
2432	wmpscfgs.exe
1096	wmpscfgs.exe
1096	wmpscfgs.exe
2060	wmpscfgs.exe
1924	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
Token: SeDebugPrivilege	2432	wmpscfgs.exe
Token: SeDebugPrivilege	1096	wmpscfgs.exe
Token: SeDebugPrivilege	2060	wmpscfgs.exe
Token: SeDebugPrivilege	1924	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2396	iexplore.exe
2396	iexplore.exe
2396	iexplore.exe
2396	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2396	iexplore.exe
2396	iexplore.exe
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2396	iexplore.exe
2396	iexplore.exe
1344	IEXPLORE.EXE
1344	IEXPLORE.EXE
2396	iexplore.exe
2396	iexplore.exe
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2396	iexplore.exe
2396	iexplore.exe
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 1096	1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe	28
PID 1084 wrote to memory of 1096	1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe	28
PID 1084 wrote to memory of 1096	1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe	28
PID 1084 wrote to memory of 1096	1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe	28
PID 1084 wrote to memory of 2432	1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe	29
PID 1084 wrote to memory of 2432	1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe	29
PID 1084 wrote to memory of 2432	1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe	29
PID 1084 wrote to memory of 2432	1084	fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe	29
PID 2396 wrote to memory of 2924	2396	iexplore.exe	34
PID 2396 wrote to memory of 2924	2396	iexplore.exe	34
PID 2396 wrote to memory of 2924	2396	iexplore.exe	34
PID 2396 wrote to memory of 2924	2396	iexplore.exe	34
PID 2432 wrote to memory of 1924	2432	wmpscfgs.exe	36
PID 2432 wrote to memory of 1924	2432	wmpscfgs.exe	36
PID 2432 wrote to memory of 1924	2432	wmpscfgs.exe	36
PID 2432 wrote to memory of 1924	2432	wmpscfgs.exe	36
PID 2432 wrote to memory of 2060	2432	wmpscfgs.exe	37
PID 2432 wrote to memory of 2060	2432	wmpscfgs.exe	37
PID 2432 wrote to memory of 2060	2432	wmpscfgs.exe	37
PID 2432 wrote to memory of 2060	2432	wmpscfgs.exe	37
PID 2396 wrote to memory of 1344	2396	iexplore.exe	38
PID 2396 wrote to memory of 1344	2396	iexplore.exe	38
PID 2396 wrote to memory of 1344	2396	iexplore.exe	38
PID 2396 wrote to memory of 1344	2396	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdecad3c2a3ca19b4b200a17ed8442d9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2432
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1924
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2924
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:603146 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
470KB

MD5
29ea4e719ac1f240bf7b29d2ef2d150d

SHA1
0ad4ecdf8944cf98e88ff404ed6da47a7c2441e3

SHA256
da6e7508945dd5f221f83505e64ec63d0a5c55e112fdc372d75de375874590ee

SHA512
4608a6a67580936da96be2cdd416af7a346285b16fcc6a25a77977be261b49f89ad78520be8d4d431f60447f6f14381299f07e2e88902a0f10cffc256af8072a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc735451faf5b752f8744ab205c49dd6

SHA1
a50f89ee2fc191cc313b99dea92736ea8a3dca29

SHA256
d8b82b09792ac0e7b63b78361ddcf0b72d83e4a47495fdb277b11b45357b2d74

SHA512
ed4006d6b88a273640721ea8596777c7b437ca87d0c34ee4a67048f6d500f6c99f317d901ae36742c68b984d9516081b1f83ddda6d7ab964c89d82745322297c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f334698f895a1430d1a6b55c561986bb

SHA1
1931f9f0a13a5347ac6cf72fbfbf5b88c950666c

SHA256
5b2c40d09d7793eddafaf101dd0d6cd24abdbef72c701368f1d2e895b217f6f1

SHA512
25ddc9a0000e9ce5d83c63bc770ab4195332f5f28753286bc9b25268f0a1bf20173b2ad22dd12ebbcc401c150e17ef456129eb54e8f4b45fea09df4d74377707

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7201647ae26fefdc709fa435f8f18f1b

SHA1
493aa879fd961c0d0a39f96b0eba8fb9d8227846

SHA256
ddc16a22abac3edd6a7e54d00bfbccbcc8d219ecc1e99fb7130b67d18774447b

SHA512
ee1e657d647b0c9c804e9862b6162faea80568eedf94ce4e890e4f2c38ee72f54fe8c7c4c600a36ba6a36afa7abbdfc50b4f8eee5bcf1cae1cfc7abadab89de2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7071d4ffd43b381508a1f12b31f3947

SHA1
9f11703fe0608b582ea0adad0887c7bc23795065

SHA256
71caf88f262705bfeca8da44445b7f1039107aa2f46a1bcecb0f95b4b817949c

SHA512
796c8c42ed875808594c2448b3b4eded1d4e8f6263037f8b1286eb19c650db2079efbe29916f43070809397c5d00166978c3a6f1fb8ba8856068a4a077e85071

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb599e2d90b1a87f6a43a69f398a2b3b

SHA1
47740c9cb582fc4463385a3e4226884d8df8243b

SHA256
76e5385df6d6eebfe1ddb8c568d7f98b80cbd09cff4cddc56c7901795ef74292

SHA512
3f5002a4e35357fdebbe1430afbd38a0463cbcbcf94414f637186119d2ee67cabf9eae65c26a5bca481af4b4e59c9f0a6f5b6a294073bca6ef02d46bf28acfbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
17713b4570dd3e623cb92af22ace6a79

SHA1
f4fa2283740e4934694fcb1b9967c3c464021373

SHA256
8f5e24fbf6e9aa389c2820d426f6a7cbca891be4a5bf72241e615b6d0a12f7f5

SHA512
204888107cac1bb5a3f22032424f0a7848e0bb37806fc9ef667dd7c71bff87992052d5e871b2170f5fbeb9b638002bd424934fec028f70581ddff7f720c1fde9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e84ecc63fdc3fc152e8b0b818cf0e236

SHA1
8ffcdaf5ce283e327c2fea22fd99d03685114523

SHA256
f26d5cd65e81bfd60f7859de45d43ce9b2aef0097c7928b03eb78f30780ff01b

SHA512
bd7dfa5572b729039ed9cd11d6a4ff5244bb458db5a30c4e4fa76414ab8ee3c4d2a0cf2b705d369f24e5189447d71eed0164381c37dda96dbfbf69bd39c2aa1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a19df9712a7874f8ae9021a455d9f52

SHA1
cca6c8eba2b5b5076a860dc4c96177826021c3ae

SHA256
444d6a74e11c10fee1dae314f403b00fdd5aa42efc31619aafe2e1256813179c

SHA512
5f6660da32fb28c6706a4990ecdf26c654458f2490f00f69a5f52d34d5f52696892490069434be541dd438a8b6810f67c0bbd1ebfa0d2a4df6adeafc7b160a20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6437b6d24518ddcb9e258faecc25998c

SHA1
d64bccd3662c210515ca6cd7b2f70ee483084ac6

SHA256
36e5a76df017d465be10f7ece9b217bf1f98e141e66bc6b0dc3011a842f069bc

SHA512
9f533d7ecdb2bb7f328b88cefdf77f35551653d8bf130ad7f98fdd0b2d42c9843bc193191a9f1588fe794203c7f5cce58ab88aca47308aa6bf7643b8f7cdcb23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e8a90514186047eae53b68851ad3bf3

SHA1
82b4dd8f2d48b74492e50fa0febea1ffbbac50f3

SHA256
06d291ae1435b14ee6a84b6d26d70ace8f45c9b5c5a20cecc9b8dca3e52c99ba

SHA512
c320d3e8526e66e25c95bfc3ccd611ae0e58093d3a7f79f1c4cce86389e335b023cbe6244d114998f27fb72196ecb82a84bc75bf1138e3cc1762d1a833494e6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9M0HR0P6\bRamGIUZh[1].js

Filesize
32KB

MD5
f48baec69cc4dc0852d118259eff2d56

SHA1
e64c6e4423421da5b35700154810cb67160bc32b

SHA256
463d99ca5448f815a05b2d946ddae9eed3e21c335c0f4cfe7a16944e3512f76c

SHA512
06fdccb5d9536ab7c68355dbf49ac02ebccad5a4ea01cb62200fd67728a6d05c276403e588a5bdceacf5e671913fc65b63e8b92456ca5493dae5b5a70e4a8b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD8B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF18.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
494KB

MD5
8016de1204578e560dc3cb3ee074422e

SHA1
f8a1f48fec3d02466981938f5f6b631f0e80e058

SHA256
ebf4b172b6ed8561382274f4e9c6fb621ec748e2ec2c39a21c41ebbf30365dae

SHA512
cf11eca18b57394076fac83efca5f07c7ed1704052a425efc7ab2935d4e402dbe17efaf10ac050e564c98339765aec72b613d6cf7982577784dd5e92004b510f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
482KB

MD5
e539e6a005b8f1e04f8f443d5cb53532

SHA1
d6dd3a1c7f192d72a2d90edc951b2c8306be0b96

SHA256
8581b9a1f7e1aa42e5d54d8a06257100d434533a0a0d762a86bfb88520198beb

SHA512
b5921de8776a37b2376d1e1db9672d559bce673fadc094c1ed4cd71e9eca6bc64aeceb0fa10cb5733e62b2ff24c7d9e5983e8721865ef35e0ce4802df7b4bb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFC8FA56D798C8B23B.TMP

Filesize
16KB

MD5
13a127084cb361e31e265dbb042384d8

SHA1
d8746ad211c2fc658f4d259eca89674d2d7331e2

SHA256
a2f9b80e930ddce69a1d7ca07153b7ce2d743604a09590c5a264e9f1c2d076a6

SHA512
6011e23301002035b0be3d3c989172ccbc83a8a90b2ce39461ac063525f0d711a9402246122f8fe538b131c4632f3a9ec6d4cc28c5dadbfbf2f53a3a717f56a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\KVOJVKT7.txt

Filesize
107B

MD5
9ef6dfa0874e9cec8661773bb18c6e77

SHA1
48021c230d891913ad82d2b4d5bb56268952dbcc

SHA256
3b7761fb5950281bd2a8fe45356240e66e326848783ee3085564fd225c1d48a5

SHA512
2e3882cfac2a7c9a815575f7bc73da2c23895d88112c5d7124b2df3ed8f328506ec21376d135a4ef8794e4f4525e610f58dce271176cc734019fc552d1ba963a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V7ZMZR7J.txt

Filesize
123B

MD5
b871fe56d362c6cbb95f8c645e742ce7

SHA1
baa8cff4a22f39bf342b1717ae25ac95c1c61086

SHA256
12e776f13cd03d9c7fd5179f464b932869cb4d466018148763d8461aab2d96b9

SHA512
5cb91e93e733ede60757a570942a766b343a7bfbec4c96f3544f7383eb87cb07a6f6a73b86716d4a887a0afe078d4b46ece86ef3eea9781350005b949fa498d9

Download Submit
\??\c:\program files (x86)\adobe\acrotray .exe

Filesize
487KB

MD5
369a898e1698a0d225b4e4af0033dd5a

SHA1
1bf2069ecf37402f63e6b01f6a7f0dc1f7179366

SHA256
4e9efa18abe57b8e8586421385cf02f725675d931409c43348368e1a7bc881c7

SHA512
52895152c9042dc2ed04a02aebd67f6305bb1e9a817570e9263c0a4565a9d536fb4bb370216d1cbb84b5eb907426255c624d08a5f894e140b0231c25a24cdfeb

Download Submit
\??\c:\program files (x86)\adobe\acrotray.exe

Filesize
490KB

MD5
b97d4ae693978a4997da78c5ca4d98b5

SHA1
d3f5ad5bb9c213e2debe90322f92fe60ae633763

SHA256
3087c9c8dbbd1f9dd380a6b648b9c51b10056a6e001bd4a1848a6fd66aadde15

SHA512
7c0faaab7e01734fc46dfc5d9f1321dfb5e8ffbb0ce71e0e50a36874ff79ac4df4afa481f8d819bc35f3ea6d03c77f8b0277654f18d0fa61c694afc9619e2a97

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
481KB

MD5
bccfd822aa6abb2d461d2acfcd99346b

SHA1
a53c454d5c773992cbf7d9e611c4111b47b6ff7c

SHA256
5ebb616b901b6949c8aa66603daba66ff9f277d854b48eb7f8b9cbf6fc6fe274

SHA512
2d519c0918c9360435964ee5158d9d654e6694f5df42d98f73231c76c1ccc1ad3a9ab4e302772ec5bda0ff5832efa921ec77157ad72f5a36e3ee766402489e22

Download Submit
memory/1084-2-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1084-16-0x0000000002750000-0x000000000278A000-memory.dmp

Filesize
232KB

Download
memory/1084-15-0x0000000002750000-0x000000000278A000-memory.dmp

Filesize
232KB

Download
memory/1084-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1084-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1096-40-0x00000000002D0000-0x00000000002D2000-memory.dmp

Filesize
8KB

Download
memory/1096-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1924-74-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2060-91-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2432-27-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2432-26-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2432-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2432-71-0x00000000002C0000-0x00000000002FA000-memory.dmp

Filesize
232KB

Download
memory/2432-75-0x0000000000310000-0x0000000000312000-memory.dmp

Filesize
8KB

Download