Malware Analysis Report

2025-01-19 07:21

Sample ID 240531-xmqt5ahf2z
Target 880146adc40f8696390aba42d44c225b_JaffaCakes118
SHA256 2f9afa87ebc419709a7b2137a305d0b2f9022360aafab3aeed34fe168f2cc699
Tags
ramnit banker spyware stealer trojan upx worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f9afa87ebc419709a7b2137a305d0b2f9022360aafab3aeed34fe168f2cc699

Threat Level: Known bad

The file 880146adc40f8696390aba42d44c225b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ramnit banker spyware stealer trojan upx worm

Ramnit

Executes dropped EXE

UPX packed file

Loads dropped DLL

Drops file in Program Files directory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-31 18:58

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-31 18:58

Reported

2024-05-31 19:01

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\880146adc40f8696390aba42d44c225b_JaffaCakes118.html

Signatures

N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\880146adc40f8696390aba42d44c225b_JaffaCakes118.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3752 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4936 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5252 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5372 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4712 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 code.54kefu.net udp
US 8.8.8.8:53 code.54kefu.net udp
US 13.107.6.158:443 business.bing.com tcp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
CN 120.55.94.119:80 code.54kefu.net tcp
CN 120.55.94.119:80 code.54kefu.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
GB 104.91.71.140:443 bzib.nelreports.net tcp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 52.182.143.212:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 212.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 18:58

Reported

2024-05-31 19:01

Platform

win7-20240508-en

Max time kernel

119s

Max time network

127s

Command Line

wininit.exe

Signatures

Ramnit

trojan spyware stealer worm banker ramnit

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px10B3.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px122A.tmp C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C71E0621-1F7F-11EF-A538-5630532AF2EE} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000450a8172e12ad765166efbdfc5a55385517c022f950789fe48f3b1572614c548000000000e8000000002000020000000b45d158eca1c1e076473d429fc81f7fba7a292ccb5786f7f40a9f6a1e81dcd4f200000002969e7faee2b9a3b842c7897c8c6169bc257aab588271d2353ec0d6d282620fb400000004cae934f1bdacecdb38b4b376f345d4656e5da3db044c4df189da3795d8692d150a5b848aff0a3057e9274281233748fd5620ba3bf1353b0db9258cbc2836c88 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e93610000000002000000000010660000000100002000000082ebb64aa45bd3b72228bb2700c4548ca23bba09bcb44f769811f2b9c929b449000000000e80000000020000200000003e0fab79900648a4559144e74682c6d372d6206733c04759f0180c565ef6d37a900000001e859c75f4ecfd7a4b7d8cf425b09a01e50324ef19a1a2d049a0feffeaa0cba4dbe2adef6d3e0cecf687c1a99269a5bef5326acb2867e993a5aa05825d4d921d7955beb7ea7a5a2c8c85b765cb4a687e1a477fde3a63aa3f6efd6739e4e02840f403b93312a343ceb8717b99bbe6659024bab2a46199ede24b3b4cf3402225f24fea03bbb38c0ada88abb788ba32c3df40000000f6d52197c9c06c5a260e4c13ab40ed6246782638f5a55d4c0c43acbc5c6853b891dc5b4d8f543bc9771b45d5ac2ab6158d25204e4a649f18a79ec6eadafdde5f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423343781" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0eb4a9c8cb3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2164 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2164 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2164 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2164 wrote to memory of 3060 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3060 wrote to memory of 2884 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3060 wrote to memory of 2884 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3060 wrote to memory of 2884 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3060 wrote to memory of 2884 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2884 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2884 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2884 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2884 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2884 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2884 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2884 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\wininit.exe
PID 2884 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2884 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2884 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2884 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2884 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2884 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2884 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\csrss.exe
PID 2884 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2884 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2884 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2884 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2884 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2884 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2884 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\winlogon.exe
PID 2884 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2884 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2884 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2884 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2884 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2884 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2884 wrote to memory of 480 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\services.exe
PID 2884 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2884 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2884 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2884 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2884 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2884 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2884 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsass.exe
PID 2884 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2884 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2884 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2884 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2884 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2884 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2884 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\lsm.exe
PID 2884 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe
PID 2884 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\wininit.exe

wininit.exe

C:\Windows\system32\csrss.exe

%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\880146adc40f8696390aba42d44c225b_JaffaCakes118.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2164 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2164 CREDAT:340994 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2164 CREDAT:209930 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 666faefb80b2c2c4028875ce8cd6f3a0
SHA1 1673f5ea1664c67f539a7c31f7fe7cea5a7ae63b
SHA256 da43233d34e8369e6802cea5dbfa9fa46b07b544bd85edd8f256692a5d34fbd4
SHA512 c375ced9c64a0c33e2af498fcdb81c995cc6254e9f6d9f8d7fbd90571abe4ac00d3a1eae51eee4e45c88aa77ed765d86014c043950ff06c0367957ec6786b41b

memory/2884-6-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2884-13-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2884-12-0x0000000000280000-0x000000000028F000-memory.dmp

memory/2884-11-0x0000000076F80000-0x0000000076F81000-memory.dmp

memory/2884-10-0x0000000076F7F000-0x0000000076F80000-memory.dmp

memory/2568-19-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar30E8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1efa175be3e7d8909804608c15fa45f
SHA1 4efde37b6191bb97344fc9801ae9867490137a64
SHA256 8371eef4c4562b9bb70ad394b15e5c26aebb5d679db0d3dc9cdbb2f584d43754
SHA512 39c4b451fbefc15269368e3a7c78d582357cf167d2c8f7ffbd3ca67eef2d0be1b24e8722ca49df9ba7f97e6cdc90700c5822e6bca363ac95c84d93e0c259b932

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd754be6cfab9a426057670f9a28d2b2
SHA1 b1eb774357499119f1dfb0a3d84e9891150a727d
SHA256 7e23e5b23af92e8831b0d8f08474f77ac1dac00c57e46b58902272a094795489
SHA512 c21e82932b8d04d1b765e433c07dee842057da8c1e5fbc5096056225760d5b02df062ac6a714de4cd28c64b6ca47179434444078c17f950c821404de088671de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ec8e710db2afd7fd4155d31e4cc6713
SHA1 5ec4d3c0d2543f16f278a0a819d6a7830c2a0fcf
SHA256 8b37ca7d879d0f68c97e2a40ba09018e58d7776017a48bd40f3610674598afe7
SHA512 1f6dee98314b0eec23190740b31c5d199a8b6f3604fc5c24c4e4db3dd67b7366bf2a2765a364e17aa979f3f456eaa4aaff92a20627a78d47728c4cc97178df7e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4352dc7639ceab8d7834abcd57debae
SHA1 99b4a84aa6a80f93c78ee2742eddb653804abd2f
SHA256 6168e57dc89537f709da31ecf94ae095c38fcaae3498ba91e515f83e3575fc0f
SHA512 b481d5abba28373f60fd8c80d559167defc36da721909db88fb283a2d6331b0633547407e57746fbd57a855b608b39247312cafd33d41274c4310b035063aaa0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1743ee610d1deb1c80e8fdb0526fa181
SHA1 ffb8e6f257e9b1c070190be2793fd59a29538e8a
SHA256 20c5822fd73a922c4504912e25e67675ab07be1d28bff209847fc4832357edef
SHA512 a76caf4fbe5f7086a68839b1c1a7de705dae5b79f7279b82b1403d757a134782a7b49a1951516c7dfacd68806d7fc6b5b7d542b060b16612acfa573d16024599

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 608d6e6084682a445f21d4806716e5f8
SHA1 d9508f1f7b584948f681637aead5f434df9183bf
SHA256 1810630ac58ee48bea1439d56f91578f0b65067ba322f2d46e3e533cc3927e66
SHA512 2a3d2a44af056e8a11d8c8e7e380175a3ab3df6af6a5f38b7fe7090b68cc0ecbfe2abe1e43e838aeae521cfa0e758eca103ab3668ab1e56ca929b17b1a1e84e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a0e22c9d8ee902797e2edb639bab98b
SHA1 4c1f4d42f3ce8debd4996f2519eec80ce82e6b07
SHA256 38a1b13e54a7360608253cdbacd198488a1ea9dc1110bee67b2ef9c518a94bf3
SHA512 e48490e9051514406763cd9601ade3a645ed343deef3323f526a8107c87e24aab259e8e9d5f8332996edd44fa68af0992f9a77d9457ba201e2250c3629516fa8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a4b7a50fe7a60c51d191c9a3a38f25a
SHA1 5eef7409b9d0f65bdb71159439e16d8167b2d310
SHA256 1f9cfe85591252c2d19d57eb0a0b4f5537df7afe56f872f9a55a69e98baa3871
SHA512 6125ab04324fe4fb795b6b3736918baddcd4ae87569c2bba48e2ac5b1135ea632185ac305751346f1aab9a6523c4bb85b2fac3a037768da317642bd8c0cc722e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b1ced666f1a3fc780758f508bc5ba19
SHA1 6554720fb5525ef17e480aa0dcb2bd13b20baf21
SHA256 503272c13a3d209b091976179b0e46414bd30d97d641ffb0bddf3e5778722234
SHA512 95e693768e7f1c38e70de0af46594066dfc9f9f038d0555dd1ddbe3175bfb4c74592a23e149c8acc463869719ff0c9553fa6cbad0974c8c40fbd0e4ec07da611

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07daf640cc342cadc72dc1b8eb14ec55
SHA1 71df9beeb99dcab32b69ac9f2f3f3bedd3e6e417
SHA256 1677bb37632aaefdc1e07bfd6f5f839c0e64c3f9ae270cfd8201ed3a672aeb7e
SHA512 7046ed2602a2be2b954df129eda72110e7f0f4375296bf5ccd45a6ac3433eb720ea08088e8fb306e0f796810fea7949824dc308f69e53563c4e4953170a07c93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b39d562bbedd9eb1f5422c6f6ee107d9
SHA1 b04f2ceea027c5c85ef15eb8165b87f22258083d
SHA256 0d52d7fb91dd753a5946cffb6a17666dd28269a13bcb4190253deef18638fd58
SHA512 95a3220c9f70ab8b281c578b615c94a60f87bf5349b751984ccdf8b7b7473d886497bfc9fb593abde9e2aa4472a4e010f963a7361f09f9180d0036d34bc7a450

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ce2710d39323b89e3ffdcd824631166
SHA1 1e2777a0c51f175a1466b102660f101e433c07b9
SHA256 2038d623346f273aa2017b954dc5b2fa546e1fd0e22c3cc0dc5ad1aa24f7e937
SHA512 acd65d2a79450dc8a2dc48d6ba1721379ae0503c00c6656018980dc6783f00f6de972a33b53851aafe7cc9437953b4765ff1d530f6a5c8452d5a1b8611de5f77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f7711f1e3d17a9ef242fdecb93941cc0
SHA1 be6949c0f034999ef4cf9e87910f59a3242440bf
SHA256 9c1aa160466e11e3eace06e534e266d7e957bc756f3221d99316da54e4e2d922
SHA512 34ca93113b3363f9eeda3a28d7b92fb86d63e22f640b0414ef956e9e4a877136c4089a2104cdb655f26b1cdd38c8734349084af8e87f917ffe3874bb23402d61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3093847627b2accc0f8c77ff267d272
SHA1 feac713052540065a4fca8897cbe508e4c03a45f
SHA256 97b7836728aa1391217e18466a40f6d634ad5ba8693965285c91d0b09beb474b
SHA512 dda2a02f9b84523c363f5f0c9bf38e983f8b5caf60f5967fa61c13e0c49afd5cce79f4ddb13b2943f4c12e8b78f7fde6cf462b582649d00db1744d3b0f048876

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8fbb90c3d0d69caa69cbc874a55f3ebc
SHA1 cf1cc6366e2a170665f950ec2eff1baf10ca184f
SHA256 e3aea4fa6fefe9e0d608a0af719ebe1dc66e7a48dc00958b82986c7aed63c849
SHA512 ca18b8603df86521a5665e174222ab980664a8b8292f76b8ad51ffa537b41ff881ff0e239a9a8232542e3300258c21204a7f5cb5cd0c7a8f9869af177ab458fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 daeb64c1936ac670b9ad3d40614cd860
SHA1 786049129881760510704f3a5d84d147e236de1c
SHA256 efd7ab417b9c194770a639339e8726965bfe0638b7a264215a418f1e45c5b8b8
SHA512 6939fa093fbaa7a8b78d808b05a321a634cc8d349cbc04c489b23f95036228ada9f1e47f0f840cea13cda81c73388c44f4bd333a6f9d0c5ad5b0862952ad4f5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 24e2f1044308b5e4a731c32dbaf49194
SHA1 4060916543c8e23a57e5b33c82296253276433ff
SHA256 ea149eef27883ef5f7977b2f89e70820147dc846f332740fa41920d8eb5466f7
SHA512 318b7317727434897a6c734b99bf5dd229ee0e2dc8d18f4d3f9928f1730021332f26379b0dbeadc3b739a161f269b251e68be8dfe333a58e19a1d71c752bb06e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7dfdbc6c7bd399d17b10918efade279f
SHA1 0de6e176709dfd9a5d392559976e7e6605548de6
SHA256 bd0195af71d029e912ce2f2ead4e5a7bb1bbc49535d0021f023c2ef3ebdaf075
SHA512 f1c5fcc88c50fa192f6299c10bf02796f5f759ac8994a5ff6bf253acc31bc8d7db1e9724e3548d2cf3979c4bf6be3f19cb25b6ba66119b6e2e97ed61c248ca09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5885db3be2c8288435630752c5b70d0
SHA1 4b1f3aaba5b4a135a96c095ccb63c627f3209bbc
SHA256 4a595fd2ebe59211bc1d5bbc36d3961fa6ab0c287e8f78f6a68c6fcdabe8e0c4
SHA512 191aa30a50f398635f035eb2879f8b2b6e2fc6d59de42687e7a1192a676665ef0d60c8ec1abe19d72493793a75672fc1686d837f46a93b60926e9bca25e456d9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a2006fa38637cd01962fdff47884e2d
SHA1 bb64bff726fb96d44acb74b3307d40eda7ddbc7f
SHA256 d2b2f239709a25cea9c9e07c590ed915eb1ae189ac558543811266bf72aeda54
SHA512 bb01497363074d4fa601f8216323fda833c1507dd73c430f118583e57718ed32fdc54ea61980bbfa8fb31b96f844cb51273d5b9a05e85cce9f3005e14155dfd5