smokeloader | c8e013303ccd9105c2042b0d35e923d95eae9b6294550a9a206fdbfad6eae057

Analysis

max time kernel
300s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06-05-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8e013303ccd9105c2042b0d35e923d95eae9b6294550a9a206fdbfad6eae057.exe
Size

719KB
MD5

91ed4ffb7fa8faafd3f2f348b4e8865d
SHA1

cda8bdf2f64ea04cc15685a79d0c11f8ab4192f8
SHA256

c8e013303ccd9105c2042b0d35e923d95eae9b6294550a9a206fdbfad6eae057
SHA512

da333665c18a7c376a0f3eaf746e2f31255dc629b40e2de9852bba67649a7a9743a1c3ff3197e86812f29d8293f602334817b1588184d322ed91cbac0bbf4171
SSDEEP

12288:VXQvjGeNWM74nhfIZkQCYepr1wa21kpv9AzAllUYWnTYRG6GMZ0PIBFfc65T+G:VXQ7pWM0nJJQCYe4a21kNWzAKTu+ArzN

Score

10^/10

smokeloader backdoor trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://cellc.org/tmp/index.php

http://h-c-v.ru/tmp/index.php

http://icebrasilpr.com/tmp/index.php

http://piratia-life.ru/tmp/index.php

http://piratia.su/tmp/index.php

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

Twins.pif

description pid process target process

PID 2592 created 1192 2592 Twins.pif Explorer.EXE
Executes dropped EXE 3 IoCs

Processes:

Twins.pifTwins.piftduwrsa

pid process

2592 Twins.pif
2284 Twins.pif
2484 tduwrsa
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2728 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Twins.pif

description pid process target process

PID 2592 set thread context of 2284 2592 Twins.pif Twins.pif
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2592 created 1192	2592	Twins.pif	Explorer.EXE

pid	process
2728	cmd.exe

description	pid	process	target process
PID 2592 set thread context of 2284	2592	Twins.pif	Twins.pif

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Twins.pif

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Twins.pif
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Twins.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Twins.pif

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2624 tasklist.exe
2364 tasklist.exe

pid	process
2624	tasklist.exe
2364	tasklist.exe

Modifies registry class 20 IoCs

Processes:

tduwrsa

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings	tduwrsa
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	tduwrsa
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	tduwrsa
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	tduwrsa
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	tduwrsa
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	tduwrsa
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	tduwrsa
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	tduwrsa
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	tduwrsa
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	tduwrsa
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	tduwrsa
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	tduwrsa
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	tduwrsa
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	tduwrsa
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	tduwrsa
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	tduwrsa
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	tduwrsa
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	tduwrsa
Set value (data)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	tduwrsa
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	tduwrsa

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1232 PING.EXE

pid	process
1232	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Twins.pifTwins.pifExplorer.EXE

pid	process
2592	Twins.pif
2592	Twins.pif
2592	Twins.pif
2592	Twins.pif
2284	Twins.pif
2284	Twins.pif
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE
1192	Explorer.EXE

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Twins.pif

pid process

2284 Twins.pif
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tasklist.exetasklist.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 2624 tasklist.exe
Token: SeDebugPrivilege 2364 tasklist.exe
Token: SeShutdownPrivilege 1192 Explorer.EXE
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

Twins.pifExplorer.EXE

pid process

2592 Twins.pif
2592 Twins.pif
2592 Twins.pif
1192 Explorer.EXE
1192 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

Twins.pifExplorer.EXE

pid process

2592 Twins.pif
2592 Twins.pif
2592 Twins.pif
1192 Explorer.EXE
1192 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

tduwrsa

pid process

2484 tduwrsa

pid	process
2284	Twins.pif

description	pid	process
Token: SeDebugPrivilege	2624	tasklist.exe
Token: SeDebugPrivilege	2364	tasklist.exe
Token: SeShutdownPrivilege	1192	Explorer.EXE

pid	process
2484	tduwrsa

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

c8e013303ccd9105c2042b0d35e923d95eae9b6294550a9a206fdbfad6eae057.execmd.exeTwins.piftaskeng.exe

description	pid	process	target process
PID 2000 wrote to memory of 2728	2000	c8e013303ccd9105c2042b0d35e923d95eae9b6294550a9a206fdbfad6eae057.exe	cmd.exe
PID 2000 wrote to memory of 2728	2000	c8e013303ccd9105c2042b0d35e923d95eae9b6294550a9a206fdbfad6eae057.exe	cmd.exe
PID 2000 wrote to memory of 2728	2000	c8e013303ccd9105c2042b0d35e923d95eae9b6294550a9a206fdbfad6eae057.exe	cmd.exe
PID 2000 wrote to memory of 2728	2000	c8e013303ccd9105c2042b0d35e923d95eae9b6294550a9a206fdbfad6eae057.exe	cmd.exe
PID 2728 wrote to memory of 2624	2728	cmd.exe	tasklist.exe
PID 2728 wrote to memory of 2624	2728	cmd.exe	tasklist.exe
PID 2728 wrote to memory of 2624	2728	cmd.exe	tasklist.exe
PID 2728 wrote to memory of 2624	2728	cmd.exe	tasklist.exe
PID 2728 wrote to memory of 2528	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 2528	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 2528	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 2528	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 2364	2728	cmd.exe	tasklist.exe
PID 2728 wrote to memory of 2364	2728	cmd.exe	tasklist.exe
PID 2728 wrote to memory of 2364	2728	cmd.exe	tasklist.exe
PID 2728 wrote to memory of 2364	2728	cmd.exe	tasklist.exe
PID 2728 wrote to memory of 2372	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 2372	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 2372	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 2372	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 2436	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 2436	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 2436	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 2436	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 2488	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 2488	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 2488	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 2488	2728	cmd.exe	findstr.exe
PID 2728 wrote to memory of 1248	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 1248	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 1248	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 1248	2728	cmd.exe	cmd.exe
PID 2728 wrote to memory of 2592	2728	cmd.exe	Twins.pif
PID 2728 wrote to memory of 2592	2728	cmd.exe	Twins.pif
PID 2728 wrote to memory of 2592	2728	cmd.exe	Twins.pif
PID 2728 wrote to memory of 2592	2728	cmd.exe	Twins.pif
PID 2728 wrote to memory of 1232	2728	cmd.exe	PING.EXE
PID 2728 wrote to memory of 1232	2728	cmd.exe	PING.EXE
PID 2728 wrote to memory of 1232	2728	cmd.exe	PING.EXE
PID 2728 wrote to memory of 1232	2728	cmd.exe	PING.EXE
PID 2592 wrote to memory of 2284	2592	Twins.pif	Twins.pif
PID 2592 wrote to memory of 2284	2592	Twins.pif	Twins.pif
PID 2592 wrote to memory of 2284	2592	Twins.pif	Twins.pif
PID 2592 wrote to memory of 2284	2592	Twins.pif	Twins.pif
PID 2592 wrote to memory of 2284	2592	Twins.pif	Twins.pif
PID 2592 wrote to memory of 2284	2592	Twins.pif	Twins.pif
PID 2636 wrote to memory of 2484	2636	taskeng.exe	tduwrsa
PID 2636 wrote to memory of 2484	2636	taskeng.exe	tduwrsa
PID 2636 wrote to memory of 2484	2636	taskeng.exe	tduwrsa
PID 2636 wrote to memory of 2484	2636	taskeng.exe	tduwrsa

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1192

C:\Users\Admin\AppData\Local\Temp\c8e013303ccd9105c2042b0d35e923d95eae9b6294550a9a206fdbfad6eae057.exe
"C:\Users\Admin\AppData\Local\Temp\c8e013303ccd9105c2042b0d35e923d95eae9b6294550a9a206fdbfad6eae057.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Ink Ink.cmd & Ink.cmd & exit
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
4⤵
PID:2528

C:\Windows\SysWOW64\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
4⤵
PID:2372

C:\Windows\SysWOW64\cmd.exe
cmd /c md 339613
4⤵
PID:2436

C:\Windows\SysWOW64\findstr.exe
findstr /V "CLARKESEEKINGNORWAYREAD" Transform
4⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Bite + Nylon + Optimal 339613\j
4⤵
PID:1248

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\339613\Twins.pif
339613\Twins.pif 339613\j
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
4⤵
- Runs ping.exe
PID:1232

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\339613\Twins.pif
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\339613\Twins.pif"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2284

C:\Windows\system32\taskeng.exe
taskeng.exe {A362939F-A0BB-46D7-A3CE-34F001ECCC69} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2636

C:\Users\Admin\AppData\Roaming\tduwrsa
C:\Users\Admin\AppData\Roaming\tduwrsa
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\339613\j
Filesize
210KB

MD5
b39ad6bd549720c0939f7b8c454c947a

SHA1
7eeeb0f0332d4fec13fd2933ca52e1d1241d2022

SHA256
85b73feedd8197d87c14e5fe394dcf9509a987a4da1021ba3ed739a7e2909417

SHA512
31ed6e99f53bcd3d508a578d90822a07aabbf24a2d6ac463eeeff3c872dd94218cc996a396fd62dd202c0c9f0a0d3349bab18514699623e21a698d8ab12a09da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Arrive
Filesize
7KB

MD5
20c3b361a5cfdc98411b47cc4bc4aef5

SHA1
b5be8381d178dd44c4c9641d0ecd43a3f8c222e2

SHA256
87ae0006f377d10a8c54f93e699220834330a452dc48c8dff722d82a048df3b3

SHA512
be4471851ae2ddd325bd0f2e4db202af9d550d13aacdc2e47f6fae6c655b06661f2e057731ec858c96ed01daf35cbd74a883b9e5b902e9336a559d88541d2fe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bite
Filesize
54KB

MD5
94924c0aabd7d7287f016ce9216f3ada

SHA1
e82a24245b28a5205b63ae9f3427ba98c52ba3df

SHA256
a22e0ff3583dddf90b2c10518121ad881c3602738a046e89d73410806ddfe62d

SHA512
e78f361a8ebf565a881efca857903ca805adf71e0b82444e5c776f7fae98f42df4474288b1ed7797f0a0ce3c1f61d73f6542ebd681770d60b8d563838a7e19fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Blessed
Filesize
31KB

MD5
6d4552c8407ecef360ee9f302075ac88

SHA1
3213f730a3ab007e93130354b515bed178f9644e

SHA256
397052d31ea88425f3379d93f5b1dbe0c0ea591fd2de5597846cc2da8a9e1151

SHA512
0c7b3025e3faed1706e75e2deb89ec87abfb08d25198c258d9801c59578b08ee58741d04f6ae41e65071e63c9d4f603adcb3c4a2d5758d2de3daf386723a6b68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bloggers
Filesize
8KB

MD5
8b0e3371c784afe024268fdf55e1da3a

SHA1
eb83d73503a78cf2a744916a7f8e702ccf1b5bfa

SHA256
d15e6716a700144c2863606b2b26fefc22e7e562615f5c52b46a7e3f065d22bd

SHA512
1db22307abc653f4cf1d4c95f3168306b9cda874f9fac0383168585cbb2ea51c83c103a72adfc8328dc5000724374950db4b82c2780997fe1a18ad9d1dc78a9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Brussels
Filesize
47KB

MD5
2fcec0db044950883b66291a4c31ccf0

SHA1
da0dc5b7168e8025e6626fe43f8033610a47b7ad

SHA256
940dc03c00c7917054fd4de58416b07ad7dee64da88dfe5736ccf2ac365a7de5

SHA512
22befd91bc03fed521a40fb5ec5afbc84c13406c2146e2ae70a3a853e148da0d2301c2977624bb246bd2ac2779a07b6b346243c764d133b9cd44e37f2b2705f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Citation
Filesize
50KB

MD5
8747d47d30c3a9b323397cb997264cb9

SHA1
14d5f04b5c23f0d3f1bdc6b8b5f5cabc6e2ab542

SHA256
98337b324e7aec5ac7c082f899e7b9bea4f09da299e805615f574500206c4603

SHA512
f2c295a6daaedc522bc64834f00e79259e77f82683b130ba2e11d6b97f138abda1160bab8d2ed10d693a87e3c63119e177a70e9761b57a3b9b561b843eb4d24d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Commission
Filesize
28KB

MD5
fe30a56aff578ae55d096c8d0f342ef7

SHA1
4effc8214ed1b74aa692d0a17f69acf2987a8f4c

SHA256
d036dcc45293a51233e048803ccd9d96c40ec9ad2130be959f09fec60b30be99

SHA512
b8f87dd8a9f1e8ca7a239b1b4f6faf217d534f97f23d8ef2fc5e978c3d02ea024cb482b8d0b66a0e9a2b1a65682c68965a536ccf4a9d9cc783a73247fc838089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Common
Filesize
12KB

MD5
43d595be944a3e313154f7c1191c2b59

SHA1
fce4b24bc868f0837c7cd57c55de1bd0fbe287dc

SHA256
208f5fe45ae203bdcc5137eb1abbe78e4ba082ac62622f7eedb854acb2836ced

SHA512
d8b9b4b1a9d1f4cf99a6970a1f7b455bfff35e18647c274da3b91d6786ce5ae680de1b1384ab1621004fe10ceee131403ac96531cb4fbda121e1d4d2cb939b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ebooks
Filesize
12KB

MD5
2fae802d8e858627dc23094b0a789259

SHA1
f85b7cc2f327b65cacaa7632da556c3c989b7384

SHA256
69668a6d7b91cfb3a4deb0e845e6334df9037c648c0772ebb2d5c9e5f20573d7

SHA512
2e902f26ea3aac8b663e384587304ee3282b5bc5f68ef9af289106da0b274926ca44bd4ec24f0c3a6c4ae6c7ed9d1d096e0c063d0d1548234c77f4bc0d741cac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Foam
Filesize
46KB

MD5
44ff5841f82e491efe85ea1e70c0d6c4

SHA1
189e45af0d6fd05a5f4935349d21ca7c695c7cfb

SHA256
3745a49c15faa0ff0d4a6bc19e0eed7bfa817aaa9308cb5f3a70dcfff86932e5

SHA512
dc430738f9817bfbb79bd1b606b421e9e79f93a756b8afff29018bef23945cd7500479a8240f5fcb95d5bf0bc50311dace84edc40c68e07bc124a84d4ad0771b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fred
Filesize
56KB

MD5
94a6103efc667d158fffa1ae61c1ad25

SHA1
dd39637cc2286bbd41c39d2d84a33fc69eeca511

SHA256
f95c6dec1ac818741ddc3722e771488791a3bdeaa60cbbe257f63dabea263c03

SHA512
ab48b188469ba6aa918788d99482763f837fc18d93da47772eeb4161d000ccd462364a6029339d3849dd8faa49d264594380eaaa9b52e8e87dec42abba052ac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Frequent
Filesize
49KB

MD5
1905972c1519b69d0496f9e84cbb2a7b

SHA1
6706ca636a20b758e94e0972dfe90414bf3e482f

SHA256
4492b37709dc875951ef7f91062c146554a6e85eace84806d126a57a1ecc4f1e

SHA512
48e806f7ec03077ac137e3054d36bcfada9443fcd61ace20aee161b5df3469e39f00edba48401f1999c862a28ec641f8b7b0c2b0a58043d8d92cc07466f36e70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ink
Filesize
27KB

MD5
60287e2efb7b61761d76bceb5f98eb31

SHA1
7b2f90f5ce2ae201ea5671925b6398b88d07eaa5

SHA256
a1bcdee60fad62582dc3b62bf17dc9d952a0baec22a1636bfbf3cbbf664594a2

SHA512
7466a51f386b115713f670a4ef240fd0f5583f58b466fab2204e47784a73f2beb6c67036ac689d6252f19ae5257bac2e467b5036795c51bbd170d5b8a4b8f01a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Intelligence
Filesize
49KB

MD5
515fa986d07fe7050764d1e43f779eb7

SHA1
4bf8e865b4c22c5e4c068fab632929ddc1e88338

SHA256
b1234563fa54f46c03094dabfeee33f1aa534f854bebd34701ba685e346166a9

SHA512
8b589c3fb58d5731a840256281e6b8cdb2deb506e6c8b2305dec9c7ba37f8e075e9b3030480f565ab8289872a75f2b79b259c02ac9129c9a84cc46b5419406e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Leone
Filesize
47KB

MD5
efa13c926e1f0361cadaf8ac35e0a321

SHA1
cece131b2e7ed6911baec0d46795406ac0fc92bd

SHA256
9fe73754925aa37b3f20393611ad2a44a43961edd8e8e4d8efd69b8623d405f3

SHA512
fecd2823b79a1e24713dea2aa40c89bc0085db29319b42ad8c7038f26ce38704b40fc1d53af2f1ddc594d8d0d33777344732e26c05b01063cc7c2f66c597d33f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Maintaining
Filesize
47KB

MD5
d562003277f0ac19e5b3ba836ae9880c

SHA1
90e2d0ead3ff45917cf3a093b81ea82e0cf13837

SHA256
75f392328d934257039580c4afa942cdd50e01aca4a597c2ab121b115fa67776

SHA512
d881323e1f729921c85c738c4b0db294963f6f4c2bd1e02e9e077c435c39ae4fe52ddc9fc6bb4fd32eaccf51f05bf0df88fb6c5123e6c10dec9f4f5c7eb5a14d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Manually
Filesize
62KB

MD5
a5ae326ecacc87eff80a70e4b692cc95

SHA1
b04807874be6f09dd98f36d374326c645abb010e

SHA256
94bc11c0d77ef6a727606b675ebe025d44b1353aa0a998428edbf954d920d606

SHA512
efb21f303cf5b3c1c543a027af49466f6394731510e955cc0b9f57d575ca2755c07b64a70d781185315ca941ac3f36f4f9cf95cbc74315977869a5259c319431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Monroe
Filesize
69KB

MD5
3837e97a84298d7d76c19f6aed184fc2

SHA1
1de882c6991dccfe9f15f97ad8a4bffd1dda6bde

SHA256
e972e4d346a8dcfb949df0595ce108e26745459eaa3ae085aca0c0d69c29e0d2

SHA512
4cd69ac2f0b52490b19d5b94708ba592a97443bf1ad7cdd78ab6c53bea0b2c17fea007439eff9914c21536b2829407cb075600b0b3ea57432dd86cd27a984c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Nashville
Filesize
11KB

MD5
495c206c92c5e796c582c66463a4c02c

SHA1
587699c52eb6c0af3671a47ba67390af10009ced

SHA256
7f11648d2b673e3b410c7ac81b0923dd1957992530c87fa23bc395d5c4390f82

SHA512
9873c74b8651673087300454fb01ea5b6050114ed87cd6feddada675504a9d53403dc9047081653c67dfd73a1ce51ae0159562aa6f571808096c6fc24165a37c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Nylon
Filesize
140KB

MD5
02f7d1e360e2803d6de3d428d7d7f9b7

SHA1
2875e24bb2be05cab184d7ce369484f2537508e5

SHA256
05f45253e91ff3499e07468867b14771aed714e1e25a54ac0bbdeff26a7794b2

SHA512
9a91a218bea528b7314c3e701c7f87cb8e9465d1d26c9e1836b857e396a8ada4e2672102886bcbae5e4aa811fec0d8ae5311e7d8927f415d7542d24d7601344c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ongoing
Filesize
29KB

MD5
0261921ea3363e603c474476604e03ff

SHA1
0009447e832d4bfdee0829ad4c0d9976b8a9fca8

SHA256
02cebb6afcafcb6887ee16f2701ab240f0f9205a19e472925cc52ca97b4e8009

SHA512
dd87ada76d58d1376dbd8fd15a9e25f220acd48a8e11db74153d0f2cdab07671817cde9cf2c8f4c3b0cab721c0506d21cf4566fcd34de754b745a4b04b3c6874

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Optimal
Filesize
16KB

MD5
f9706d1a526b59aaf08de191ff4fefa9

SHA1
466f4c743acd608d1949d8c96114156f94660d2f

SHA256
a393ae065ee0a1050a005d4f6394694bee2db1c1d27fca71cbadebe9a57a1f70

SHA512
a77524cf193ac406b20a98677c850175a5d7cc2c8f9593ed71fbdeb444a2270961aa39cd23537d146657e3e3572756c2e19cdd35246cda1d108dc36c688a8ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Personnel
Filesize
25KB

MD5
0d4d2e4164cd06145e7fd078de44350f

SHA1
d8146b98520852467ac764969a71d7c8a1ab37fb

SHA256
dbd68d514dd902196a605552d373028f62fe4e66afe0f850d1e2363530f815f7

SHA512
1292c102479d0aa20f81024784d47698e276e9d5b6e952db5f12e1378407443e94e9220685f6059268ccb8815c29b3faeead44e8f3bea548f4361ade3affdb94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Postcards
Filesize
19KB

MD5
58d137f44a1549e2d1a74016a0414bd1

SHA1
c2a2b4dc40191fa4cdeb1c7ea084c465a61ce215

SHA256
da8769b1ac86cb8c9046dd8f97dbd1a6a7ed699046525b5cfe19be4c5b24db66

SHA512
d3155aad9008af9a2fcf275ca684b782f7a9ed42cb9511cc458a6bc872892cb732ea8289ba26f7b1fb84098f9868b4d212df4275255e8e81d9b47217f73fe474

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Proud
Filesize
40KB

MD5
67edcc30460b2d28a6cfed9a47019e0b

SHA1
f28940d219cfd2a88cb338081e593bd91d6c3d12

SHA256
9a24e2d124db9d16c616702f7e9b21674aa652c2cc9bc508210f90a0205f2b78

SHA512
074d40a3f5d5461541ab3b6835bb8ae5adba6826da426406ed2aae54eac037f165afda676603446ec96572c37919baf6ccb31b5873a91b4157964098e22ef947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Recruiting
Filesize
66KB

MD5
1d91e6961b9caf230a9e918ead87cd3e

SHA1
80b3929c9d637505bb563bf301f5fcffbe73f338

SHA256
8ab3d4409d549bc775ba004e30c4b89a126d65495614cc54888d9d2118d6fb9d

SHA512
33f19c971244c8063eb80ea578f97845ab93ea6d7e468bbd2caedce6911762ca1fd540813e1266aa9e7e348b26fb5f425c0cd676c227f039c935c97226ca4a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Several
Filesize
6KB

MD5
1080c45ab3cf7306d00f87656bd22d69

SHA1
932a0070cf2a000bd7a1d9bdc0719b3fae3024bd

SHA256
b9b1c193f1aca54d552258858a46d39f52e43fce9a1a19797531cd50b8954efd

SHA512
af111f2a99ae8d23d895f226d348d8e43b2bc7d5b6ee6666d436b94192344dd7e9f0b57fd157f4264d8a36e32237c1703534807c63d9b3ca3211b9b9efdf4270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Shame
Filesize
35KB

MD5
764bd07c230e6bb14133cb96017da75f

SHA1
cf838e054f1d69205995771d3470ff7fc249a61c

SHA256
ad249e988b39bec92c7f0d248377484061e7d7b4aaf6b2c84493ce4cba4ef253

SHA512
be99f125345a05d4ffac1326cf571695450ab6fe77bd3ef5321aeadd60dcd52da0352c8cb2e59bde8387302942592116570336aa8fa0c8d89b5f01c89ad0acef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sit
Filesize
61KB

MD5
7a0601f858ec615c4504c20300e1b853

SHA1
7e53a926b05c6b28f79d93573c7913923d5e7652

SHA256
947766483777cd6f1c2193c8ef2ea62b0c42178a23ff03042d8e644bfa7cf5e7

SHA512
43b4d161880a003d8363f69db3b93f3729065d96e595eab3dc6aba923be19e7afa35aa185074207db72055fb5fa4e46bf2b26bac105f2c752daa1e8ec517e637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Transform
Filesize
201B

MD5
aa3ed85843997e7db925261e0014e6ba

SHA1
55281770aa6794c27e922d463bc03a97f866c9cd

SHA256
3653c1f083e4661d03be26c2f2d1c548b70f813ad16d2eb923a86d9a84b365c0

SHA512
e05fe71aa73542d72ae12645345fb1c276af4c0b824d7e9d876193b45e8b2ac2857a3235589d54521619e5f6d6295d2b8fdce0bcd063305b0e69cda06423dab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Welding
Filesize
12KB

MD5
a7c4d72517d6fcd98d90d67136acd36e

SHA1
3f15d583705ad0acd5f9f06ab5a449fb09831e77

SHA256
1e9fbca5770623da565ecaa138ff9c0a8bcecabb1fa6b9a61a4495c12a25170b

SHA512
8d8ead9e3132a37e0516e880da3a4a05ea7a4e3bbdc7019dcfd7334d872a825042288916015486b835e5cb98ae8a14131a6e63402958d3ae8d063e624c493264

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\339613\Twins.pif
Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/1192-92-0x0000000003D40000-0x0000000003D56000-memory.dmp

Filesize
88KB

Download
memory/2484-101-0x0000000004CC0000-0x0000000004CC2000-memory.dmp

Filesize
8KB

Download