ad89ce6fc686c6270a53af73d0b2e31b26dfc06cac41989850fb0da1a04a21a2

Analysis

max time kernel
141s
max time network
134s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 18:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
Size

636KB
MD5

2b5dc3847c46d0fcb0926692ebc0b384
SHA1

eb2845377cec3de83eb98ea4c2d2bb1f999a034a
SHA256

ad89ce6fc686c6270a53af73d0b2e31b26dfc06cac41989850fb0da1a04a21a2
SHA512

10c24c08ebfb74094b5b4e002a990c2ff7011c613042c1ea35838c11618bbd30372aa21d32659a8d44bf3639d50474b1058b5deb43545f95a6f63ccbed51e4ce
SSDEEP

12288:waCfbqHNucxW0QuFg64Sr9T4UgQgO9lvBrg7rRw:wlf+twfn64Sr9T4UUO9J9Ei

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1320	acrotray.exe
1944	acrotray.exe
2852	acrotray .exe
1028	acrotray .exe

Loads dropped DLL 4 IoCs

pid	Process
2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
1320	acrotray.exe
1320	acrotray.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "C:\\Program Files (x86)\\Adobe\\acrotray.exe"	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\acrotray .exe	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
File created	C:\Program Files (x86)\Adobe\acrotray.exe	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421442165"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000018eec6c14bb491c4dd6b69246736c3b20d35a0acc22f1ed678c20f1e1d2bd02000000000e80000000020000200000004e4e5f3971ce8335bcbf5a8150f73ea8a4f96424629967c6c7e1ca110c37a6d720000000a14720c5c5694bdc562e1bb7b251d0fd22120c5ba5d86a134be0a98472a4305c40000000b0f86dfa0d360e6ac2d0847753efc7c3074e9b5166972cbc320482ffca790769d5470639d68b5ebb76bc4b031b9174e1e56210ef4f78ec4eb6cd965c8f622b4e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3BDCFF51-0E34-11EF-B2FB-7678A7DAE141} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000e502052246c212c776fce8d862bee321e562c0ad36107b4f66427037e469ebdf000000000e80000000020000200000003a5e981a42613096314e7d8307a16f947a8671d8b281fc59efb264eed15ba17c900000002d4bd7ad5f881349f5d7dd5bb8ffdd0c2f10e797038488eedb09972a21fdf53bfca59777cd451ae23cce71cc2ddc91d7e2bf619f74613c810e17b39d66f9f07c94f57a899946fdfcbdc3b77c474c2dbfa75d70aecc7cacf3926646f8f47300468ce5f8050505108caae5f41423a20b5d1564035f5a316884eca4ffd1974cc7dcf33890d5db7b53a3c7406006604890f4400000001cd6444681b6d47d3d2ebd2db3192c5f21a9f94777c2d23d21fb8044eac61ca351cf739dc7df72494f8a80796d6850460ec2ba4cfbea6c7884392009822abcff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 702123ff40a2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
2464	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
2464	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1320	acrotray.exe
1320	acrotray.exe
1320	acrotray.exe
2852	acrotray .exe
2852	acrotray .exe
2852	acrotray .exe
1944	acrotray.exe
1944	acrotray.exe
1028	acrotray .exe
1028	acrotray .exe
2464	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1944	acrotray.exe
1028	acrotray .exe
2464	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1944	acrotray.exe
1028	acrotray .exe
2464	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1944	acrotray.exe
1028	acrotray .exe
2464	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1944	acrotray.exe
1028	acrotray .exe
2464	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1944	acrotray.exe
1028	acrotray .exe
2464	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
1944	acrotray.exe
1028	acrotray .exe
2464	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
Token: SeDebugPrivilege	2464	2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
Token: SeDebugPrivilege	1320	acrotray.exe
Token: SeDebugPrivilege	2852	acrotray .exe
Token: SeDebugPrivilege	1944	acrotray.exe
Token: SeDebugPrivilege	1028	acrotray .exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2316	iexplore.exe
2316	iexplore.exe
2316	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2316	iexplore.exe
2316	iexplore.exe
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE
2316	iexplore.exe
2316	iexplore.exe
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
2316	iexplore.exe
2316	iexplore.exe
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2464	2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	28
PID 2172 wrote to memory of 2464	2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	28
PID 2172 wrote to memory of 2464	2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	28
PID 2172 wrote to memory of 2464	2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	28
PID 2172 wrote to memory of 1320	2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	29
PID 2172 wrote to memory of 1320	2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	29
PID 2172 wrote to memory of 1320	2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	29
PID 2172 wrote to memory of 1320	2172	2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe	29
PID 2316 wrote to memory of 2524	2316	iexplore.exe	32
PID 2316 wrote to memory of 2524	2316	iexplore.exe	32
PID 2316 wrote to memory of 2524	2316	iexplore.exe	32
PID 2316 wrote to memory of 2524	2316	iexplore.exe	32
PID 1320 wrote to memory of 1944	1320	acrotray.exe	33
PID 1320 wrote to memory of 1944	1320	acrotray.exe	33
PID 1320 wrote to memory of 1944	1320	acrotray.exe	33
PID 1320 wrote to memory of 1944	1320	acrotray.exe	33
PID 1320 wrote to memory of 2852	1320	acrotray.exe	34
PID 1320 wrote to memory of 2852	1320	acrotray.exe	34
PID 1320 wrote to memory of 2852	1320	acrotray.exe	34
PID 1320 wrote to memory of 2852	1320	acrotray.exe	34
PID 2852 wrote to memory of 1028	2852	acrotray .exe	35
PID 2852 wrote to memory of 1028	2852	acrotray .exe	35
PID 2852 wrote to memory of 1028	2852	acrotray .exe	35
PID 2852 wrote to memory of 1028	2852	acrotray .exe	35
PID 2316 wrote to memory of 2828	2316	iexplore.exe	37
PID 2316 wrote to memory of 2828	2316	iexplore.exe	37
PID 2316 wrote to memory of 2828	2316	iexplore.exe	37
PID 2316 wrote to memory of 2828	2316	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_jaffacakes118.exe" C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Program Files (x86)\Adobe\acrotray.exe
  "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Program Files (x86)\Adobe\acrotray.exe
    "C:\Program Files (x86)\Adobe\acrotray.exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1944
- - C:\Program Files (x86)\Adobe\acrotray .exe
    "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Program Files (x86)\Adobe\acrotray .exe
      "C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray .exe" C:\Program Files (x86)\Adobe\acrotray.exe" C:\Users\Admin\AppData\Local\Temp\2b5dc3847c46d0fcb0926692ebc0b384_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1028

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2524
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2316 CREDAT:865289 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d71fc9db325cfc5295a3405d691434e

SHA1
db0bf2991ea2dc814e22547bc355a2fb9274f59f

SHA256
28a437eabafd23a10ce7275835bc55fbc39ffca6b063b4da132445875ff95d7a

SHA512
8e1aad44f38f47bf437e5b7a0033014d3035e0eba8c1eabc5f328c29bce5aa3c7d47f325515d7cdd26d4f4b1b30136b003314b4112740f550dd61960c50172c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ecbd127c45d6cffea6fb2c1dfffa0dfb

SHA1
4059626d8a62bf3e311353b2071fad2f7e171d0e

SHA256
cb9e3f49181f5927fcc7ec8daa8004435f092a93aeec74292c7a780c54dcb782

SHA512
dc9aa5a2ed93e1c526cf06c2fce988881c9821545d6b5b5c75dbcdef26c46d4e0567d8989368cfc29e245391dd40cbe66ded0ff600f527c7f9563b7ed1c67f9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c42433a94f1fc4755cd2ea2f01a6c7b4

SHA1
651bd43116c9c02d67737e758f5fb9d97bb136ff

SHA256
1ac76ab3ff516e3bd595cf59cbcec386644b2f80dc903e2f4f606f080a70536e

SHA512
900a57e6eb067e6aff9aae4272fe41982d9ee46def2dcda4f0f61f38d5b981b32649506f60aa4f0d6f694005341176c6daa6b57b86d875b10eaaa9078ebd63b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a562e9d51c17fc410b5e341b4d5d8d07

SHA1
cb8493010854435aa0eb93e04714050cc3f8149d

SHA256
7e8a1b3626db5c5ebd0051ea356fe68da417a2946bd8e5d284999b0dac181b20

SHA512
5c4476ed546c8dfd249c2d1182ccec73f5046c7766335f7e73aa8b91630c80d328284ba9624dd09e329a9703cb5ea311c0fa2267297f58d5c3add9e9c953b021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e651536b2dacca264d0657b193941800

SHA1
a13a0367f6e2d03a86fa4fd3de911cfe51dad429

SHA256
00cafe130ffbe5aec0fdb0d163297efd880fafb62a7c3d20fea069eaf0adaf32

SHA512
18c42ff044407decb7dfc1aee8b96d5a2b0c42b95c1a9e6819731439dbaea872ddc22bc11711cca4d5242c17d69667293e0b28a1657453fba871b458ec0eb253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bd6662406d8b480f43aba34880cd7857

SHA1
d0fd600936fea2e8e59f282fdfd87857d9fea314

SHA256
0428755951356ff92f189173f18599f3884c3db3d397c636344ada87a1a65c6f

SHA512
26afdd818744590789dddd6309fa5814a3d87ddaff9887feeb42dac6f0f2cd66d605b6b4014fe65a84264b751da89d2025ac1532ba6299d0aa176a7a63fd122e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
440072295de783cebb3e373cfadfd372

SHA1
0cadb1c5421c5042edb633256fecc0b8459dc9cc

SHA256
d1b445064b4c6d2b55fbb36939d67553c61d99ca535cd50d885bbc010a161a46

SHA512
2ea98f6a777ae3b8166a4a6ff580d14fa6c66acb8decfe1bb67a5fe2f38e377c041c0d338fe1efbc67898dfb9514bcbd9bf2661ac7b6661cae454e7e969b541d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a49afb6b0e24087577839aeaf496cf8

SHA1
e5af09a02278d023248663bb6297c485ca12a964

SHA256
5b2b640b67cfcf8d3fc9fb86f793ba22e7d9e101cbe0a5e2fbe92796b93d5a16

SHA512
64ea9b6bea167b5339e07bd78c273e68ecab99eab0db63309e366dfe6b0d2ffd624f70b511382096f7096b5699e965d61f4bc11dab01b18fe002f370c396f7fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a61f101c38eeb240b280ff51cbab0ce2

SHA1
086744cbe6b787d3432ee8c0b44aa25ebd8257d0

SHA256
534f48a151f54fc3a8b67ba65d1fd41afa5a0d639cc9a21cd74c2f645ffdf3cc

SHA512
d24c3bb72d50bafc231de2f4191295c6daca75bac3bc7a30af8f93df666a0786c7745f925046a7de4fdd75640d348027cc68ff3d33e7518043895bffc42bad98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6eb859b2ce1ca96d119f866c169d8038

SHA1
20b74ccd69149c6d9f7f2ae5ed26c7d9c02ba225

SHA256
d73ee137293ee1c92b92821510940afb7423f3b79b805791e0045952f8c8abc4

SHA512
56d5fc5c115d2b7b70b6df6ed5ab76be053f3428b99f5e3da9f8578006a2b030c84198decb757061757863e19b6de8b4ea6317aa69660bdc9966ae3acf1c2714

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0abdb9125feb83c4af8bbf53d1a851ad

SHA1
71b1c3d6160169df32f7074228b01a3b80b0b906

SHA256
cde525943b243d143dfe4032d8fadadb33f15c922830d42b57bd0f6e1fbc37e4

SHA512
c6352f1b6b631efe80aa877240526992d9f9eda8ba4f2bca94d525bc53997d343d4c8d78baebc3cdbd7f3d1924b36ca351315073a5e2c42e4433570a3e58462b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
738ea1338d0d23db9ef50f5c6afb7055

SHA1
446f14a67e9dbe965c8b90fa7c3947ae793895de

SHA256
57ed5d79a24c9f15e4fd0a6f0d11167e792c268d1dba4a45d1c4fdb902bafda6

SHA512
5ae5023491eabb3245c2857bbc441a4769503d11d978540a7350bf50a19c994fe458d3d2c34043b43f22d24201049796799a2db66c5b57837a9bd7d7fb4f563e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
207abc45bb75d5795f7d71155b8463a4

SHA1
e3532eccea4b9de25aec90b3be5f9e6f1c28c53e

SHA256
6ef67bec552cc63ca8a1cf6594812d4867e3aff1ebc79266c2d2f3a552554f42

SHA512
4bd5f049701c3a4c8f7edc372bad60540c9b8fb4672922034add61332d986c7f323170111125e3f3b7f2d22b427f37a81221ee002fd5ac918c9e326f214fb681

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
484b832c47fc98e555864f5e1c605c3d

SHA1
d917887a641a6df18732a3f5facc88a64c53ddf7

SHA256
ac60eb44c16428b1f33607d443774fd1a9681a3e8b952f3cf94b9a8712cdb0e6

SHA512
c9ab6d09c96194ffb7d592fc7452362915b6efce951ace43d3d79d6cf729ad721c1db157dc34a927b5f1ab68d3fcf32d456c814ae34b0e1353c3d0ee8b24d2a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b3a256202e650aaecba8dadf0b32224a

SHA1
a806e56ee4a46c3f9a1beb81132639566797beba

SHA256
acd1d9aae73c57e62179e1b0be213310283b3d99d15d83023c3f2bcc6ef6bc9c

SHA512
fb9607fb0633d1ebe61753fd381856ca60b4e0f10f76d1f99a07d392de41d867d9394de7ac25fd0ef98c177ffd14b9a1517ae5a5049f655acdcf2d4dbb10d029

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e4703afd9d13f34259126edb6e94308

SHA1
fbe373802b68f8a733e2736e13917d8dcc6dac7c

SHA256
54370c0f34b23c2b72b9a450d4e0774739707517cb063e532a370f5d40f82a57

SHA512
9594fc82a05b3fbde966220e260a84a15ec6602fc4bbd11db5b9668a9a50342007ca347ccc1ebfcb21b929bb8e672be61638ed97445c044ad49ffe10f8487cad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e1f42849d430228d31b72cb2ed5de33

SHA1
052ff89482d609ae96c9cb3e5f2fbcb573984e11

SHA256
95879c8a5c7d4b17cd0773a3ad6032212f6d92cd478a62ad7cd146f90aebaf8a

SHA512
b56f501659efc1f638dd111adb0427747358c9098700a70ce4a68e166ada09afa9a5ae0a5e160ca5e50416f706bc91a6197963c986cffc7b299aed36b84d4316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f853bf9bd46bea3db3b2da01871ce1a3

SHA1
8575f6bbd1511fc4e41b6fa7ee0fd029583394ad

SHA256
f41f67cc47871adc2df7eee5c22613fbbf386aeb21b9fa8f1f9cf416cd56ef74

SHA512
d4b0c3a5f505ab8e0e217be570ee7c82687ee75ec4c14644ea0ef1f2e8fbd66a063d5f507480a4d5510f2ccad7c39c6cdd2c707d7784a32045f31faa139204ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1b7b4ed34628aa411aa33defaff044b

SHA1
bf61ade2004a83fa91137daf2b77511b12f2d653

SHA256
eb4c3d4c3c76d87ad0634b5bfb5ca63c41cb5b92853d53eb96f59e0bcc72e11e

SHA512
b390471537b3090fcf48788a1af85ad80e9777e392e599f4edff6c84c0d3caaedd5fbacfb81989f20ad3180c785334dc43d7e16882cab7f08031272b94f08eac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
173887800bc038a6634e0aa116a103d0

SHA1
f69409f2974f068cab71e33bf1e73e2e8649a076

SHA256
1c712b744573616841f232303830c110f7d543a64fdcbffb5cf345fd8bc66ef5

SHA512
8249c90b26746febc48657ce6d875005f952d27345a20f7e048227267891f30b8eca64682f02e3756609b0f9cb1ab31fb80f95fde7ec1530d010b731b0b14f33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
49370c0989d9e15d60d6d9e77f75d48e

SHA1
f1893c51de8c65d40fc234e1c67f7cb1d126a6c4

SHA256
173cc71b01aacae93ade3d550a6e9a0e32b11b955a70c024640b3db6d43f4b2d

SHA512
749c2c635a0ca7c55a54044f5f8358f1f2a786d13181378178c3ea21796f1245aac260e99ed2e9d9efa05cfd4fceb0547ee2f6cd42f6f0c99b89c301ceffcaae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F29.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6F5B.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PPXL7WR47BXCE4YMRVAO.temp

Filesize
3KB

MD5
8c0b012ce517dd081152d4dfa0796271

SHA1
f95891de4f6a2af63aa73f7588837183bf85a5b8

SHA256
9127cbe5a3353bf59d75f0aff05ccadeabc9837d26ca9b27ce8e28e019d7ce19

SHA512
c87d6a41727584ccf1fcdd0a767ec6a9acb8605bea1e203b4bf0b02ae81779925a31362a4adbd95995f4ef061d4a418cd4c3c517759a04641adecd3b3a3173c7

Download Submit
\Program Files (x86)\Adobe\acrotray .exe

Filesize
649KB

MD5
ed027ae5fd92eb72e7425a01f9b13f5e

SHA1
b2eea39ed9001da000eff4e7a89b585ba1e1a06d

SHA256
448929540a4d2e086f466a69cc3952911456c26440f84a6dfa82aadbe8f49158

SHA512
fd3e38349d63308e3f1649ff7fa3a368d8fe78f9dbf770402007e84998f39c98b61314979cc73aa05aa49d71683bf16e0dc5b2082b920a26075a937d8c62e56b

Download Submit
\Program Files (x86)\Adobe\acrotray.exe

Filesize
639KB

MD5
453a2bcafe97ff25f6cc30c8df3eff9f

SHA1
553ccef4336e255ce6c39d8caa60342689f89052

SHA256
3289635cd2bfa996993c81b6b4acc29bcea707280473a3d99a589c2b816243d0

SHA512
4d7c0c53b6fc0963d3ac59d3cfd24ca3d8b3c3e164b0351362dd4f32e30d8930dfec6b83a191a74dda3ebf047b28fb8fc55ad375765fdfbc818b710a175d6fb5

Download Submit
memory/2172-0-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2172-19-0x0000000002F00000-0x0000000002F02000-memory.dmp

Filesize
8KB

Download