Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

18091b0cfc...18.exe

windows7-x64

10

18091b0cfc...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 23:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18091b0cfce103223882f36e0553c86e_JaffaCakes118.exe

  • Size

    285KB

  • MD5

    18091b0cfce103223882f36e0553c86e

  • SHA1

    302d12dbc56d0b5acf040fc238e041068c46e158

  • SHA256

    04d4ba6f1864426f327e14066671c6408b4fb35db0dab83d672958f99ac3a606

  • SHA512

    2c018e76c19657c532e9c03bf693cf90911c61409e9a88ab84929f0a4141b88b63435b9e44564eb824bb3b39a0115219020513f639f8ef3d357354069eb433f3

  • SSDEEP

    6144:2FryXRup34sB7VF4iE/XO3KxiYVS7GK5xxt8ZkBrVk6s36Gn+W:2NL4A7vG/ea8cSFxx60rVJs36G1

Score
10/10
ponydiscoveryevasionpersistenceratspywarestealerupx

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
    evasion
  • Pony,Fareit

    Pony is a Remote Access Trojan application that steals information.

    ratspywarestealerpony
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 11 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 20 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 20 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 21 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\18091b0cfce103223882f36e0553c86e_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\18091b0cfce103223882f36e0553c86e_JaffaCakes118.exe"
    1⤵
    • Modifies security service
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:64
    • C:\Users\Admin\AppData\Local\Temp\18091b0cfce103223882f36e0553c86e_JaffaCakes118.exe
      C:\Users\Admin\AppData\Local\Temp\18091b0cfce103223882f36e0553c86e_JaffaCakes118.exe startC:\Users\Admin\AppData\Roaming\A4B6D\3AFC3.exe%C:\Users\Admin\AppData\Roaming\A4B6D
      2⤵
        PID:2476
      • C:\Users\Admin\AppData\Local\Temp\18091b0cfce103223882f36e0553c86e_JaffaCakes118.exe
        C:\Users\Admin\AppData\Local\Temp\18091b0cfce103223882f36e0553c86e_JaffaCakes118.exe startC:\Program Files (x86)\6DC0E\lvvm.exe%C:\Program Files (x86)\6DC0E
        2⤵
          PID:1680
        • C:\Program Files (x86)\LP\C37A\BFA6.tmp
          "C:\Program Files (x86)\LP\C37A\BFA6.tmp"
          2⤵
          • Executes dropped EXE
          PID:2104
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1516
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4076
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:864
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3812
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4016
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2288
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SendNotifyMessage
        PID:3980
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3448
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1196
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of SendNotifyMessage
        PID:3096
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3528
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3876
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:2652
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4252
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4932
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4104
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4412
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3312
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:3300
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3796
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3988
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:636
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:3536
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:744
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:1276
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:4880
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4556
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:4784
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2060
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:752
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Checks SCSI registry key(s)
        • Modifies registry class
        PID:1480
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:3092
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2656

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\LP\C37A\BFA6.tmp
        Filesize

        102KB

        MD5

        6d7f922d6214ef1996346395afd017be

        SHA1

        5594d286e8b8e46008426e15ffd53e86f4143d15

        SHA256

        4e58ef597c40404d3286c87cc13ea0563f4d08dacb4b40ea3d8b6744221898ae

        SHA512

        9dc8ac8d33268face5a007dce5cf5c7c1b749f1a656fdc70276ad431392978f47fbbae0e1d625040acc01641d9f7b5341d7b28b68169f39a1df789ea12654626

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
        Filesize

        471B

        MD5

        ca2d563291396b433a5eb6ab508eb395

        SHA1

        d70ebd8b890b20e744fee6628fdc7debbfbe66ba

        SHA256

        1331b80fc1338b8ad7b3774bb4dd33edd7ca0102066bddbbd6ab7c99f8666732

        SHA512

        d7d236a0919fef9bb11c196d0e1e865b3d2a98143d70df8104e901ebe4a6abbede80e06350949df2ad6ccfc213e48de9ae939829ae976ea798ec93b36cc1c041

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9
        Filesize

        420B

        MD5

        8b3ada7d7dc8b1f8e7c2472139c4cf7a

        SHA1

        4a6210bc4482ca7164618979d3f74d242e16f3bd

        SHA256

        7f56a2f8c387d7c6df7362acfc6f14978a180665cab290ad4d9bb82d39a80760

        SHA512

        8112ee5776670535d4030b1633ec9ce97e87ba4801cb2ae6da7ed611cacddb91cd34363ea351f8fc8856f44048e89b6e1b2e27f6e6eb291674798b347589ab0f

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
        Filesize

        2KB

        MD5

        49c09aa9f48e79169b773d7923d1189f

        SHA1

        1f24714e5a3b306c403e5d4193e88c084a05538d

        SHA256

        3acfec64410c43db61ef6d253a7bba1cbb44d9138351a87792e84a88ec33f2d6

        SHA512

        654ef4d5a549939d764b2be625bd7464e8db28824635f06b2b134372f2c5ec31da3558cdf255f31b012ce3557f7475ee35e531e83a8702acc6f48c19cc1acb3e

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133640063788016929.txt
        Filesize

        75KB

        MD5

        ec861d1b31e9e99a4a6548f1e0b504e1

        SHA1

        8bf1243597aba54793caf29c5e6c258507f15652

        SHA256

        9dcf45126bd51fcc0ef73e54cc07f8eec145bc17eef189acd15fba199972d7da

        SHA512

        30cf8103a2043fd7b1a54ce06ff2ca14ba382040297a177fc612bcf55878f9d0abbe3f7ea0e7be6b6981f7c67f8be09d77730670365af3d52a1e25640a224ffd

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\O5QZ4CXC\microsoft.windows[1].xml
        Filesize

        190B

        MD5

        f1ec48ac98257009886c2f0a0f84ec59

        SHA1

        3297eff87cc57f6c47f7d12235c082ce1ba36cbd

        SHA256

        71370c1bef1637e1f4ac8cadcbf8f6a72a7b728075bc32c82ed3a937ffb4be0c

        SHA512

        b698bf4c1282488c5087f42c6b821279790f4f835919d72fb378c5838111c7c9e01010d24c5a08c1a0af3c5a705786b923527c83c242987a1e042c5b44306b7f

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\O5QZ4CXC\microsoft.windows[1].xml
        Filesize

        97B

        MD5

        13adab817a00dd5cb1ecab03fedf923a

        SHA1

        35584141dde82d0f47961fc0e05bb9b2304c2907

        SHA256

        3197cc7a09d98fa82c61045b9cc86148816ca520e2945aced26c7a842ca6c62a

        SHA512

        34247d55710fff2b32d225f3a88adff450ef3430ad746a0dfe24944f78de068d9ae22f0979f9b8eb939488637b5085104839402fb3dede34dace9395ce598f5b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\A4B6D\DC0E.4B6
        Filesize

        996B

        MD5

        74fe9816d451a8ffd466cc7ad8c3b98d

        SHA1

        4e6e44406ededb56274ca1c530d1a46604daf35a

        SHA256

        51150c1e6d62743844c80dae9308dc933b491edaee842b99f7cf500809cae731

        SHA512

        43919a40f911261048bd1bf7bbb6eb058b1056ef32e3492e6ddf194bf30fa8a5c0bb601be497549d4b494d360360d92078321b0a926209c832a2442622dec447

        Download Submit

      • C:\Users\Admin\AppData\Roaming\A4B6D\DC0E.4B6
        Filesize

        600B

        MD5

        88d09a604acba033381899c1c7acef55

        SHA1

        63b51b6d5786d0f48997de4219902dcb5cbca921

        SHA256

        120c26f9163cd42e895c44d10c74d5446548c62503bcf17260d7f33e4c1491b0

        SHA512

        f955bb415232b93105e7653852b60c536f8b3f57ba780d0dfc15f7f1b4416901a48cbddd755e5a6e3d1b1849a2db6e853051fa31d45beba37ec40f2843c35449

        Download Submit

      • C:\Users\Admin\AppData\Roaming\A4B6D\DC0E.4B6
        Filesize

        1KB

        MD5

        7e6178cd622a5ab5349ebf3e0b7ee485

        SHA1

        ed8e635b6bb9bc07239e0f793656421d139a695f

        SHA256

        939eb36bee3797ae6b312f042df28f52c07623d39e32f0b50020b3892cd423da

        SHA512

        e368afe29f17ff4226d3d0ee830471b23491baaacd27c1e26df3a3ce7bd72094b01de48db62c663be099392fc2fd2c5867486060ca9bda93afb43ef9dd9164b7

        Download Submit

      • memory/64-179-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/64-15-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/64-2-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/64-1-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/64-119-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/64-776-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/636-1221-0x0000000003F10000-0x0000000003F11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/744-1228-0x00000232A8F80000-0x00000232A8FA0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/744-1250-0x00000232A9350000-0x00000232A9370000-memory.dmp

        Filesize

        128KB

        Download

      • memory/744-1224-0x0000022AA6E20000-0x0000022AA6F20000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/744-1223-0x0000022AA6E20000-0x0000022AA6F20000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/744-1225-0x0000022AA6E20000-0x0000022AA6F20000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/744-1239-0x00000232A8F40000-0x00000232A8F60000-memory.dmp

        Filesize

        128KB

        Download

      • memory/752-1507-0x0000014B34500000-0x0000014B34600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/752-1506-0x0000014B34500000-0x0000014B34600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1196-466-0x00000234B6580000-0x00000234B6680000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/1196-491-0x0000023CB8AB0000-0x0000023CB8AD0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1196-471-0x0000023CB83E0000-0x0000023CB8400000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1196-479-0x0000023CB83A0000-0x0000023CB83C0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1276-1371-0x0000000004D70000-0x0000000004D71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1680-121-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/1680-123-0x0000000000661000-0x00000000006A7000-memory.dmp

        Filesize

        280KB

        Download

      • memory/1680-122-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2104-744-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/2288-305-0x00000215D2F40000-0x00000215D2F60000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2288-301-0x00000215D1E00000-0x00000215D1F00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2288-300-0x00000215D1E00000-0x00000215D1F00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/2288-316-0x00000215D2F00000-0x00000215D2F20000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2288-336-0x00000215D3310000-0x00000215D3330000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2476-13-0x0000000000400000-0x0000000000468000-memory.dmp

        Filesize

        416KB

        Download

      • memory/2476-12-0x0000000000400000-0x000000000046B000-memory.dmp

        Filesize

        428KB

        Download

      • memory/2476-14-0x0000000000621000-0x0000000000667000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2652-778-0x00000000047B0000-0x00000000047B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3096-623-0x0000000004460000-0x0000000004461000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3300-1072-0x0000000004850000-0x0000000004851000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3312-932-0x0000021402500000-0x0000021402600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3312-933-0x0000021402500000-0x0000021402600000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3312-937-0x00000214032D0000-0x00000214032F0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3312-950-0x0000021403290000-0x00000214032B0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3312-961-0x00000214038A0000-0x00000214038C0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3812-299-0x0000000004D00000-0x0000000004D01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3876-654-0x000001EABE1E0000-0x000001EABE200000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3876-631-0x000001EABDE20000-0x000001EABDE40000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3876-642-0x000001EABDBD0000-0x000001EABDBF0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3980-464-0x00000000043D0000-0x00000000043D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3988-1103-0x0000016D38940000-0x0000016D38960000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3988-1091-0x0000016D38320000-0x0000016D38340000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3988-1079-0x0000016D38360000-0x0000016D38380000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3988-1074-0x0000016D37400000-0x0000016D37500000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4104-930-0x00000000040E0000-0x00000000040E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4556-1404-0x000001FFE5EE0000-0x000001FFE5F00000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4556-1375-0x000001FFE4A00000-0x000001FFE4B00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4556-1392-0x000001FFE58C0000-0x000001FFE58E0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4556-1378-0x000001FFE5900000-0x000001FFE5920000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4784-1504-0x0000000004850000-0x0000000004851000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4932-806-0x00000274072E0000-0x0000027407300000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4932-794-0x0000027406CC0000-0x0000027406CE0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4932-785-0x0000027406D00000-0x0000027406D20000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4932-781-0x0000027405D00000-0x0000027405E00000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/4932-780-0x0000027405D00000-0x0000027405E00000-memory.dmp

        Filesize

        1024KB

        Download