f13eb9f1359f89ce113e3b4c15ad522eac092d384e05ebfcb4933e004f4d6f4c

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07/05/2024, 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
Size

1.3MB
MD5

1f1ff8b88ec8f64dca0967efad350c55
SHA1

8866668a9f50566a9dfeeccbabfbb188678705a2
SHA256

f13eb9f1359f89ce113e3b4c15ad522eac092d384e05ebfcb4933e004f4d6f4c
SHA512

8a5ccff090a78b5ff0ba2f99423624ec857fdfcdd79050fac696ffc59a05170f3f3d957d4054b14c57bd7cd8ce3db0eb93e0a6b19ab423376ab7f269614f4cac
SSDEEP

24576:OmbgEspP+dYIQiBMX9SmmB7DAAymSWqXXQn:8Esn+7VypHc

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2008	wmpscfgs.exe
772	wmpscfgs.exe
2796	wmpscfgs.exe
2852	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
2008	wmpscfgs.exe
2008	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
File created	C:\Program Files (x86)\259414936.dat	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
File created	C:\Program Files (x86)\259415029.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000a1e2510f771d49d2ac5cd5b8ccd3da3debba2e54f45e8d62393444617f835f96000000000e80000000020000200000004f562fe644b6b4f3bde04a2edabe798f394fd6b86493b429484961c03efb8fc2200000000e6e9bae94c7eb29cf454f13b1ef4766fb5008f55624d82a1519a54a94d66d17400000005cab4c8ae2e68ef9360ed4b7cb671082587fecc27f605ea69b25483e5e41a13863b54c98eb7441a0e00270c6e61adee66ea4142b0783f2d3043d793c48d163fb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000289ea60b2d43a24055f480118c1a91a6532404bf32c3392defea44ff8fcc371b000000000e8000000002000020000000aab30db6a0f18575b9ec8ad2ea9dc04fd584d27c301af2556983df199112654e90000000662048b2b2010eb5c3d882cafaf30c44a031281e6e0272d085549b77b3fd42799fc18419269c85a0dbb05a4d0c24ece7e7c25d3729f3d224a9d9c4214fbb58b44f0c7e8acb0850305530195f4ff4537b1d17c0bd9ff5edc1def07bb9ec8469f2700d1cd84241a86cc8189f07c06f6d6eeba22dd9d9207450c3fb5d3c16375aecff56cf6dfc471bf337f080dbdc4610ec400000008bc496d16ebc8e65dd68752b05afff1ed37f47855a8cbef04464eeac24ecac444a4be5336939c78c3635a6b5fe51bf872d27d6e539dc41021eb59f521c65ce53	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421210592"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0FB0E671-0C19-11EF-B7A6-525094B41941} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0c101d425a0da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
2008	wmpscfgs.exe
2008	wmpscfgs.exe
772	wmpscfgs.exe
772	wmpscfgs.exe
2796	wmpscfgs.exe
2852	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
Token: SeDebugPrivilege	2008	wmpscfgs.exe
Token: SeDebugPrivilege	772	wmpscfgs.exe
Token: SeDebugPrivilege	2796	wmpscfgs.exe
Token: SeDebugPrivilege	2852	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2460	iexplore.exe
2460	iexplore.exe
2460	iexplore.exe
2460	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2460	iexplore.exe
2460	iexplore.exe
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2460	iexplore.exe
2460	iexplore.exe
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE
2460	iexplore.exe
2460	iexplore.exe
2500	IEXPLORE.EXE
2500	IEXPLORE.EXE
2460	iexplore.exe
2460	iexplore.exe
2628	IEXPLORE.EXE
2628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2008	1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe	28
PID 1512 wrote to memory of 2008	1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe	28
PID 1512 wrote to memory of 2008	1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe	28
PID 1512 wrote to memory of 2008	1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe	28
PID 1512 wrote to memory of 772	1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe	29
PID 1512 wrote to memory of 772	1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe	29
PID 1512 wrote to memory of 772	1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe	29
PID 1512 wrote to memory of 772	1512	1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe	29
PID 2460 wrote to memory of 2500	2460	iexplore.exe	32
PID 2460 wrote to memory of 2500	2460	iexplore.exe	32
PID 2460 wrote to memory of 2500	2460	iexplore.exe	32
PID 2460 wrote to memory of 2500	2460	iexplore.exe	32
PID 2008 wrote to memory of 2852	2008	wmpscfgs.exe	33
PID 2008 wrote to memory of 2852	2008	wmpscfgs.exe	33
PID 2008 wrote to memory of 2852	2008	wmpscfgs.exe	33
PID 2008 wrote to memory of 2852	2008	wmpscfgs.exe	33
PID 2008 wrote to memory of 2796	2008	wmpscfgs.exe	34
PID 2008 wrote to memory of 2796	2008	wmpscfgs.exe	34
PID 2008 wrote to memory of 2796	2008	wmpscfgs.exe	34
PID 2008 wrote to memory of 2796	2008	wmpscfgs.exe	34
PID 2460 wrote to memory of 2628	2460	iexplore.exe	35
PID 2460 wrote to memory of 2628	2460	iexplore.exe	35
PID 2460 wrote to memory of 2628	2460	iexplore.exe	35
PID 2460 wrote to memory of 2628	2460	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f1ff8b88ec8f64dca0967efad350c55_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2460 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2460 CREDAT:209931 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21b7546eda3e3a691cfa6381c23f0bfe

SHA1
1199ff41b019ba408c0e8c2024be92b982c892c0

SHA256
f34c5b75df81f77ad0da7196734dd50db67d0cb62dd153cd6c3ba3c73cf2013b

SHA512
45f7029aa44b59fc58b0db4c5f6e3fc85b3abb337e73585d67e12cecf5862190fca695e4315c87f17042e387afa0ed845ded5e8320d79bcc0766ec5763603abc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87af65e4f255f5570488da8a2c3e2437

SHA1
ff7b888576c67217e076209e4eb8d762456ea9d0

SHA256
d9146128f496e5e868babf3b841b13e91b97a97b9d6b820df461db1d1e4fd0e5

SHA512
d77a19f5cc5d775283494f6247685317b8ed13102aa4798402a3c37bb21be134fff60fb91aa46805c600fff76a1c29e7931d1dafb21370092fd5acfd3688aadf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
48694db6c15aa528cba68618f3b5d515

SHA1
71a3bccebef01b9a384eb9ba18fa96f8fda90507

SHA256
55f3ed154e5a8f291d06d67523e99dcbefe5f6074407baf9468ae89b678a3fa3

SHA512
5274a12dbb976d0c8481af77891cd5bdb04d52eec5bc141c11580ef0618abbb5b99013945af5ff6807191a529ea99a637592f04d805549824ad899efad033dfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
312f97af6705944ef43330ff1707e5b0

SHA1
6d4dccbac3b13d912c06319196d7df39692a5bd6

SHA256
6eb07e38d5d6b8d2bb8a3d4ebb2d81471005a98420e2ba0edf2d50d26418b89d

SHA512
eedb3893fb9580c38a19a41057a7869c1291f26b802899e5d3ab025843d2d8f166d1987a8396c4d61e5de5ee5b9fa0dc4b71071521b0e24519c64774dbb275a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
586adc31ed07f0088b778b2e44866492

SHA1
8e582eaf146299bdc5d737e422def79b36a11fa3

SHA256
bd2da7d87301963b675af77faf5664c6916c40ee651d21b2c5f9bde4b6407ccc

SHA512
c5c416dc00b9896c6439aa5801d74cbd34a167439c48227d28c771913a14aef5b0d93782efaaeed9fad70e733e56f322855194c6079c46bd5eb7917d51159b63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cd727c7eae6e893bb4c9a24c0ce1ade1

SHA1
6dca31f692e7d14b0713f60132b2a44ce8d7ffcf

SHA256
2eb0b953011d4a49d43b52d6d4bd20ad33a992e1d030e35ae90d273aec80a850

SHA512
65ebeb788c37bc9d3b95d3a23bb5ce49f7cd36dd85b4f8444dd7a2e3d5d30b87d00a95135e60c07b405b9c1a28db30efe461af4b130b3488248ad5b44d34043a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21a1c712aa48c8391f1d0320c1d0bcc8

SHA1
42a2e8191df80fd06687f30fe819e279ae3ca204

SHA256
216fa612486bb1b567757b41eaa847a3db861d650a415b5af7255f76bb35d8a5

SHA512
4829b5ff5a239c8faf470e327dc4e1ddd8eb9c85e57c672c506386a75c485f598ce3a835596d3b13fde13561bbbaa0b65200c92b34810f3e795c03bdf78a1351

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7500ad0879113e2d80abd48bbb337e32

SHA1
dc93132b39c429fb825a56d808720471a70110a0

SHA256
edd7c6a1c4b237c50f824554780c6fe9791c4f2728be3b077feadbb8289f31a3

SHA512
62903b1512e5c4cf4c40b844153afbcff4d0e3c29dffd91c8691ed81830302b183018d6a33f09dd0d65e47bd18c4bcd8cdcac5e3e256d9ee75a27901522f62f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
943edbe9d1a2a5d206c96a42bade93d0

SHA1
1242d311c10a221ed297e8a2b72b44e84d67745d

SHA256
dd3f535df8ccce83af0a6322863d654f6c89cfb3d5902aa1eeac8dc58064dfb6

SHA512
0af772fc459d139c96172adc342354e1a0c80940de6060ba4a4dc88977c4b2744533f1d0435c969760c7b1edaaab7c92aacbc9a16b137b4dc03cf8df5418653e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6fa2dc6abbb74a288c0e884e8f8a0710

SHA1
064fb1c902698d839414bbe126039c51233441fd

SHA256
c59b4eed4da004ea136a3cffdfed5ca619f6d39d963962fc45e47d6d11437e83

SHA512
e31dc591f24ad2223a9ad2e27c9c5c03db1fbaf1d4abdf20faff437034f23032aa3c9c0c9db0686ef1c5bd47f48c95d1027e5bae00669a59e512c390e17971dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
25e076f0490c2a7edacf02a80089b886

SHA1
b550baccecc67ac1794af7ec4a3bdd6616fa05d5

SHA256
a0325beb289e1a038820b591d5238c90a422ba1b911c3bdc7b050c55e41119ac

SHA512
1bcb0b562cdd783f71fea4dece0b959e13015dc81fdee8544998b5447f782eadbc023053d5d5c70ba818b2612c7aa706cda2f2e9a603feb121c981fc9a1e0d98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a3e266c3c5f191c9d0d7636cc2ea1bd

SHA1
1c4c8ec10994d0b20afde4212aa378a963b1c274

SHA256
51a755416c03a78a140686a3536050077d074b62093ef60c02bc7d1e9581bcd1

SHA512
59bfdc7f494f17ec8e95471cab574e08e220e8a6a7995685457c2c3172e940d28d23bcc59dd67cb04d85168fa214bd4e5423fc2470735dbe1db9b771d864f80a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a006d0d9e8185a82f8b85f7cdfbb74fc

SHA1
37de7aa216e83032305be23c6e8e348e33bc56b1

SHA256
c2bae36f4debf0e9e3eb4acdaf4b124fe6918dc253604c393a76213f26970855

SHA512
cef2715100f37d88d9b4280ea6ce139fecff116c17b9d780d88803e6e2f78846d1cc4a2b4f216c2bee472b6d452b0abfa4a4dae1bd9e7f73bdef9ba51679ccfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3402998fe2fcef13e9120f84ae9602de

SHA1
66274407f83943d2be07910537a40a8ca2aeb031

SHA256
74d9217d561baceddbca0d5bfad72f2b6b044d863a8bd459078d330e8ab98527

SHA512
7841853b5cd3d90fd52d5772fe694a2016fa81dbf5b67332a94182d67b41761d63c925e8d34b0634f33c939a0d2843d52063324c9bdafed2a8266502d17adaaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bec1816c00d85dd02eec138d261e9a5

SHA1
2667d16a3bfd666644ce12b1f2c1942bb94e4e26

SHA256
1022c8a2269ff2b5d1ebb66959ec1e80c5a2bf7339c280dbe0446a4b5dba178e

SHA512
3b11d08cfe378109a664d1f489c406ed6ea5484c952ca46f92a8ced3cf6dbebe21b8722c2e768dddfa2d991508e9e9320ff4fdc6a78d03aab6ce148f5180ce3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5848450e034006e80e68f5c54c0b8a64

SHA1
0406049324fcedf78bfa699d90c5618fc084d72b

SHA256
4f20ed94da642d697e8bf4dc5581f84f88c333010a5a685a39e060f3b7bdef42

SHA512
2a5a671f452ee0a695fc155f55970f5efdb80686e6e14054c8f2ae36d24acd4ee6cedaa33e3c00939faf9587c156bd9a247aa55257dc50a164ef5a373eedcaaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2e82d79d19ed0698e505669ddaa7240

SHA1
216351c4806c9a494d147fffeed31e0dc5ce6e4c

SHA256
45118328db9f7b346b96cab83b218fb18211f4e31ae98f4a2fbcf5908ea195a2

SHA512
6064a69f4ea75784eea8b2161f7a9345e66d7a4bf3741fb9405740917f10d16e35ecd867f8441d2d8b59bb29e14b7285199ab13399629e83cb3eea039624d6c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\673IEUYT\bujpGcazZ[1].js

Filesize
32KB

MD5
f48baec69cc4dc0852d118259eff2d56

SHA1
e64c6e4423421da5b35700154810cb67160bc32b

SHA256
463d99ca5448f815a05b2d946ddae9eed3e21c335c0f4cfe7a16944e3512f76c

SHA512
06fdccb5d9536ab7c68355dbf49ac02ebccad5a4ea01cb62200fd67728a6d05c276403e588a5bdceacf5e671913fc65b63e8b92456ca5493dae5b5a70e4a8b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab77D2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar78B3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
1.3MB

MD5
aa6b5432d6896a02c4373ad96e9bd284

SHA1
bb793b1d8fa03f4e7829d51b1e75eb9e0072615d

SHA256
a393b52c0891001a94d9629a492243f771c48bab188defba92f30342db8fc459

SHA512
f6d02ba09e26be99f3e82afe9ef520dc5070557bed8c72335af38d6f85194abb5b766435bac82f39cb28176b713bb7003e985b378aef7dd9a808e0bf262ad1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFC1AE71C73ABBD5C8.TMP

Filesize
16KB

MD5
665065da2939242a2c60d08691ea1956

SHA1
38d4dd152f0dbba1d4fc65fe0f3c9bc2ebcafa5c

SHA256
6d2035992cf170962b874325c719a5f022d58d553abb0a1aac42047930e1cd3e

SHA512
08fa2587bcd86cfaec61f8c0300ce99b15c0ba1e14ad09221349d16c14d29ba4434d26cc2a872f1994a95bdc85b8acbcc38227da832d2e56cba275ef04984a51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HPHTTPVD.txt

Filesize
123B

MD5
3dd66c4540a23d3283c75598e91af714

SHA1
3d31fc776273fb8ae1227e5d8980ba5b98c807e9

SHA256
a9c820c6052b41bbb8f22c4b73df359d2aeb79ca0fcd308c7cb69b46ab3bb441

SHA512
03d971ca7b6304d8f3a92e62707c6c7dfff63fcf0433ce6d262d5977568fdcda2160e00e3cc1a537988925a20dd95726ae3a0bf49e748a9ad2ead6b7dbc6b381

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VER5GA3L.txt

Filesize
107B

MD5
b7d4c83a0a053e5aff473fe6c7f4735a

SHA1
306ba0638386a626ade41b807433bbd1f17237e6

SHA256
5ba5e1dbd4f58c93a818a0e995e6172c2f0b6be69b592d9cf5bfdf15fa9b1c03

SHA512
0ad26b817d40ede7b374878c4012975721be83f107647e173dfb1ee8588a0b9fcd952ef410cb2074a6b3bfd38af4498035b21a914a65c0bbcea2146162a61db8

Download Submit
\??\c:\program files (x86)\adobe\acrotray .exe

Filesize
1.3MB

MD5
6c04df65e33041f8250f63043b4e6d46

SHA1
1931166d7ef8be6794afe24cec90ed2a4689e0f6

SHA256
99e30f824bcf178c0501f763400466d35ca82b52f398c7995657b114a930e137

SHA512
e1a6bf2923918ccf402c123215ac5cfc58c9e5a3562514ad153c5c4370b8dc4d6bf667f084e824545cc65989cb9f9c29b5ea4e672290759f220e0adc17d2895d

Download Submit
\??\c:\program files (x86)\adobe\acrotray.exe

Filesize
1.4MB

MD5
08dd239a3f5c4c8a2f7f5f00ed920076

SHA1
1e7277e5e234e070482e6872fa7caffe1b369113

SHA256
44fb09bd89892acc61af922497f04a51b3c12e7da6607863dab6e78e2af8eead

SHA512
e5f6eae8a35d839e4bfaa3b08ed9fbbee98f857d50b7a3d297c7abe43912d5cd61d906a2b53867d54d4549df8031fc57729f771ea885c5ebf59479e2744888dc

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
1.3MB

MD5
0276dfb9f9e1dde04d4a3b307ee9cae7

SHA1
91a0435ac1df942d5e92f5777ce15b5cd4c60327

SHA256
f6f63abd801ee9ea677089c1ef2711cb3e00bec79998e9e3b8cd8e7d300037d9

SHA512
0b56c70050810859c40c2769cb96c30824a31ba4b1a480e345ee366e9928c8ac73847e62297b60582efafd05562824acd6febb0ac36415561ac07de0f9823c6b

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
1.3MB

MD5
8bde1a498d5a47f584532b4518ca2e98

SHA1
34dcb584d71d018d1baf33a801123d91a58ced76

SHA256
7d4bd79d49869d5512a25725e94c685bd923752be5b5409ca31f02d409c43d00

SHA512
90e4078de2f6dd2a128d433bf5c5de86618fba18798b1892a2dd28b80b32d8c7151c4e33be8acac8e94d3d3dbd60192820171a63e3c5056a8b4e299ab959157f

Download Submit
memory/772-35-0x0000000000780000-0x0000000000782000-memory.dmp

Filesize
8KB

Download
memory/1512-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2008-57-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/2008-23-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download