a8117c7ef52af0ed330182fb8f42d4edf1321a9f73e43630c7d38bbca74cc6f2

Analysis

max time kernel
148s
max time network
136s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
06/07/2024, 16:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
Size

2.5MB
MD5

28ea4688b01ba8a30c54eaad99a699f2
SHA1

b49a760186fa3715b307162e18dca70b26bcc02d
SHA256

a8117c7ef52af0ed330182fb8f42d4edf1321a9f73e43630c7d38bbca74cc6f2
SHA512

12c172ca2d1c4fc375c96a94a473e86e7d8efc3920b61f1f33fdf74cefeec5516cbb1b620c1cb5bf39a91e1e33ca9e1bef85b9ecc79fe985b222f2951ef9aacd
SSDEEP

49152:PnCVwNDh9wCG0f3/Ok7TryD+ZgPGCC+SKEvCup:oQDjhfPOk6enKup

Score

8^/10

persistence themida

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\System = "C:\\Windows\\Fonts\\BPK.exe"	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2148	BPK.exe
2528	FORYOU.scr

Loads dropped DLL 3 IoCs

pid	Process
2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000c000000012707-11.dat	themida
behavioral1/memory/2148-17-0x0000000000400000-0x00000000005ED000-memory.dmp	themida
behavioral1/memory/2148-510-0x0000000000400000-0x00000000005ED000-memory.dmp	themida

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\titles.dat	BPK.exe
File opened for modification	C:\Windows\Fonts\bpk.dat	BPK.exe
File opened for modification	C:\Windows\Fonts\ft\web.dat	BPK.exe
File opened for modification	C:\Windows\Fonts\mt\bpkch.dat	BPK.exe
File created	C:\Windows\Fonts\BPK.exe	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\web.dat	BPK.exe
File created	C:\Windows\Fonts\ft\bpkch.dat	BPK.exe
File created	C:\Windows\Fonts\ft\bpk.dat	BPK.exe
File opened for modification	C:\Windows\Fonts\FORYOU.scr	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\kw.dat	BPK.exe
File opened for modification	C:\Windows\Fonts\mc.dat	BPK.exe
File opened for modification	C:\Windows\Fonts\bpkch.dat	BPK.exe
File opened for modification	C:\Windows\Fonts\mt\bpk.dat	BPK.exe
File created	C:\Windows\Fonts\FORYOU.scr	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
File created	C:\Windows\Fonts\mt\web.dat	BPK.exe
File opened for modification	C:\Windows\Fonts\ft\bpkch.dat	BPK.exe
File created	C:\Windows\Fonts\mt\bpkch.dat	BPK.exe
File opened for modification	C:\Windows\Fonts\mt\web.dat	BPK.exe
File created	C:\Windows\Fonts\PK.bin	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\PK.bin	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\apps.dat	BPK.exe
File opened for modification	C:\Windows\Fonts\BPK.exe	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\ft\bpk.dat	BPK.exe
File created	C:\Windows\Fonts\mt\bpk.dat	BPK.exe
File created	C:\Windows\Fonts\ft\web.dat	BPK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fc584463d2e36a4a903b1d98204823d2000000000200000000001066000000010000200000004a5c5a156c4b8e5fc5ff097c7b2a1021030e486a91b9f7e62885cab0343e682b000000000e80000000020000200000001715d6839a4dc4de26ee5abe07f4d110abd5a8e519ea168fe9a72031febe784d90000000b063139905829bc3aaba7edfa3b2773ae9e9a57b1b3b88c96a6480d15c0f6e5437df14cb6058bc18175fd3881b9b4f6b3210c6cabfa2acfc0cfd138885b929afa4ee23a79f807ba1958d25444579a455faeebd3235086f2373c56aacfc3d77412090cb587cd64b9ce613d5b810b3255c3b0ae7a48fa5c88837ee8195d1cafbc210c5a27ce310ca73edf4a95319da770840000000d622e9ac7deac4e38a9a9030d404d198456dca33dfa0ab94de9ccfdfe3b6d0e7cea59d61278d3a7dadb56cd9fbcff51659d053ee01c54d07dcb7285fc0e5541b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{05EA25D1-3BC5-11EF-8F92-565622222C98} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70c57bdad1cfda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426452154"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fc584463d2e36a4a903b1d98204823d20000000002000000000010660000000100002000000034904f93add5f506aca7412faf12b4e1e5f65515c171a8d6e677a46c6d875fa6000000000e80000000020000200000007ccd3b4b5ec1ca4d52a6fe5ba5fed9627a3a36880e24f599c922006205c4c27f200000009f49998f9b706a7bb2e0cd603c27d7f8d16836e2f03d8c92bef0c12a129d4f054000000007985e0fa1ee6f75ec303952841217677a9ba3a245aaa88ad888fd0d494871071c0993cc801efce9a4c25654fbc9b2e44ccf40a4df54640f625134ee54349f18	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2528	FORYOU.scr

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2148	BPK.exe
2928	iexplore.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2928	iexplore.exe
2928	iexplore.exe
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2448	IEXPLORE.EXE
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe
2148	BPK.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2148	2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2148	2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2148	2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2148	2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe	28
PID 2868 wrote to memory of 2528	2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2528	2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2528	2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe	29
PID 2868 wrote to memory of 2528	2868	28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe	29
PID 2528 wrote to memory of 2928	2528	FORYOU.scr	30
PID 2528 wrote to memory of 2928	2528	FORYOU.scr	30
PID 2528 wrote to memory of 2928	2528	FORYOU.scr	30
PID 2528 wrote to memory of 2928	2528	FORYOU.scr	30
PID 2928 wrote to memory of 2448	2928	iexplore.exe	32
PID 2928 wrote to memory of 2448	2928	iexplore.exe	32
PID 2928 wrote to memory of 2448	2928	iexplore.exe	32
PID 2928 wrote to memory of 2448	2928	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\28ea4688b01ba8a30c54eaad99a699f2_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\Fonts\BPK.exe
  "C:\Windows\Fonts\BPK.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2148
- C:\Windows\Fonts\FORYOU.scr
  "C:\Windows\Fonts\FORYOU.scr" /S
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\InstTheLatestFlashActiveX1.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2928 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dad26ee547471176e057f209fe802b0

SHA1
e4fbd5a4bb5fa7d78458f08f54c2bd17f95766c6

SHA256
8c4e3daf02a4b48fd62cc1e79806adc793c43bdbc7c6cce214d365f463ea994c

SHA512
15556e4e3c70c4aad1082078bc135f00b59856e7c7df86346530f3e4006529338387ef615fc3fface7af34507fc177cb1741690a8b08c185f13aed9bc82d5166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2aa9acdcf13b48c4f57876e759e94326

SHA1
3b98ba181a53960ea5cf23377984325c576b3211

SHA256
ea5bf17269bdaf4fc66a0a53dc9abde7d3c395e2384c245dc5a0aab6191245ca

SHA512
c0ca5f5161b24b25b45350eb64bcc20ad32631fe5330a41cafb4fe9a2d2cf90aa1175c646279b50d5451c9d03aeaa63ed562d649044544d6d1e043301db32420

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffe183c5e959230bd57a26151ef45a50

SHA1
f4ffb66519e512d05845be2f8160cff098d7f14a

SHA256
c20106b017e85647681c6125cb2b9363a669f0a2e4e0a3cdb3336bbea256e2e2

SHA512
5cb82f0d473480fe4dac6e6b0394b1966d67b11ccd14998497d29eb290dbf33b474cdb67db6a6593ea8484604195ff93c37a98db768b614f0da9a66a77a4f4d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10bf578f69621fe4a341fd49f1b7a3cb

SHA1
075bb770a2ae6af3e5619194a43d0b009a5cbd9f

SHA256
00d6742414105a4be431c582bc4bd16883023b0c843c9779191432720aff2920

SHA512
40882b96c129d3e0b0fa0529a8267a587354745e8f6ad88d90b8994172657e447227322f3e7193b70e2b6fb7728dfb6771f94f885e75a679802add2a3941cc45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d39c97f2b3807549f3550b36f526d09a

SHA1
d97770e5450ace1ac271238f0e226c6914075ab6

SHA256
47068065bdaeae3332e699b28f33c473b1db7c3544f9791b58e4b3785f47511a

SHA512
8684c19e304ebba2a2027cb2c6755b9dd1068fb899ed56396e185560e7883c6e5a39f43f7107e52f5abdef648864f00d38a1ba6d289733a9e090d796b2e615ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
715451fbf39b0f065f150743e74eda17

SHA1
8a14efc350c80ece66435e10925bdc2c9786fc85

SHA256
321f3483367f19a04c5fe5c2f2f6b17da1853563ffed972381c0ab645b479387

SHA512
13f1cb602750a74ae1147049794467ad77d678ca8ba50296252a22580b3c813893a98215220799b9bb6018144d0bf4a0a8ad7b5fd42f44d112ff1d679d3b7c6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c320ce90490d6c02d4a13552c4bfc20c

SHA1
5a40e8ac217ecbc4cfdef80818d95c63a7df388d

SHA256
7b7cb3b620aa154e5a24794756fd2e8b1804261afff85e098d3b84ee12439240

SHA512
f07acc199089d03b6e3e32ab2091eb33eb57596d52f2d10ffcd26d43785982e9a08787f26fa0fea54a79de295cc6bdc40109e421bafbedc8e1ae686be039dcc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2b04197ee936997d42f3859e9f663fd

SHA1
5527f2df2c791d4d22332bb4460196e5354633e2

SHA256
2705b00d362afaae43321114224d3733735629921a9f6d2db50415dd654bec37

SHA512
c9eb22e71d35278a205fb322fd67848b9849789eb322f0ce513e973f4964fda4ad5eddb295716d5e9e194e226fff46ae2fbd7cd689bcaa2e4f602b719fdb9374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57faaa1bcc23762cb2f00030ddb49b94

SHA1
3a06e570e3cad0a7a5de71bd043a5e5e144e05fb

SHA256
18d81325968025bd91c9de801695cc3ddccf96cd30e8876365f70ea458a7c988

SHA512
53cb8e2294c8cb3162edb7d3d83d1e308eb4a5b8dfd0a427fdca66d6eb5beca177dc77a77bbf9e862f5a5d4463f0ab176c4886720ff92b6af4be74c659b5aca9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d868a6f6fd49617d92b8ade52f0823c

SHA1
7a03686dbaac106aee6b88fbfde055c81cbca5c9

SHA256
f93f7e9b79aea15c2632ed2324a034ab5ab284ecfae45e5d4ba4d58adeef07b3

SHA512
61f1f3334d8aec98383663c47b497b78c551dfa77d9b3781ef32a3d04d0f6393c45c37bf702c861d59b515f1464e37b9a1cbd7f565bbb6f1d2a3bef11bb04a94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf6c1487f90f191d0ed6b3da767ace3f

SHA1
e57ede7d156cdbbb8697fa44ac88fb686760e5f6

SHA256
d7bb419cf7e89fa19e572243214bd90cd78286004f8cbfc0937379612fce7aa7

SHA512
ffbeb20dcca75bd04abdd62bd25c931a3d12d9fe6f280d4017c989ac43db14fd913292fb4a6137d5ece29e9a424a4695666ec19bac408d0c43d0813ec57fb1c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b6fc31c7f0fe16e7d63363562719418

SHA1
9ea2baed9cf333039534663ad7e10bcdb400e5f1

SHA256
e39cc4a6629cbe147d15b3e0dfe1ea544feae90b4d7ebddc341caf75ffabb699

SHA512
df495d17b8c31c636932821ea0071e06810ad3f5a15a8c5b23e980453024b6905dba9d436623b1cd185c2ec9e83bc4fb9f1d9fcb0d840728e6e56cd13e19dcdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
425c08053e168562a53c42dd65435bd3

SHA1
d1b9c27dbb2da8cfa8bf7c8981713ff768923f82

SHA256
225f5091eb0d899cd4d3fddb61f167155f746d615927a622409bfe7db74f93cc

SHA512
2dc815b83107bedf44626ae12bc91521f178f0c01be965509adc18e2e15257591d644c45441743a00e47b173dc23b13ae3116224bd8913fc529fb788f6e347ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93284f47e01ede4f7d3708fe8e1e4246

SHA1
9af71f753f1d98450ca8867a37eb61fbf18ec05d

SHA256
be7ff918ed88f0e438713e6658386e49fecba67f92c574797b007acb0d6a7e0c

SHA512
ca688ecaee275a079fadd49d92330546546b54e57caf3b2b2531a178c37fb9601dc88deca406c22aad1d5471f517bf8a1ef8fa9991503300b8d0b52aa65d2806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
487cd7446c776734d0de140110b8f6c1

SHA1
3ad00f4e41b7c089b280b9a3611dbdea8a5d2547

SHA256
93bfde0a4d5ebd55d5b2d711ff5c3c843b1474c242e983c4fa94dac2d84a8b31

SHA512
64b171eb24695058a24035aa61b4177328a17c19be4861fe8d1fd8f1296b74de1feb5f774b7a87c3c3c4d37621ef90dedb5bb90051a78d569fc055c82c5f0ecb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b40eca3a267889b27999bfa03b201118

SHA1
bf3c0ae86f5c1414873ff1988d81a75d2f5f9710

SHA256
78a11b123c748d553d833aba582a41f0bc93f2f0c7e437577a5e6dbf841fb593

SHA512
c75fa8cda5bbcdb23c8b68bdceda4eb71ebd9d2e17e7e263e629ca3c80e8e0f94659a5c4b1536f117e1e1b42690b2ab89862d886c6b8f65881945e5ec875412c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d663113afc11c94b09009e21467a3310

SHA1
f5efa5e7c816ce7b960cc0a432addec37aaf723a

SHA256
9c646e783c70e9474fa3a81ca18f414c655d1d57c6c8638359e393720ef29cd8

SHA512
1303928fe17706927874faaa048c423a3ec5df82f767c4028c3e52b286fa49f2c62874f030d8aa3092c1e9b41f976ddc5c455cd866b0ee28049f2ed2bf66679f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
989214f37cc5ff4c97e03fb373b3ef01

SHA1
a952957832541e1803ec70502e0b96b2af8fc42c

SHA256
62df35fda72bc0708528769605a591f18bd1d23bf0054371dd2ce485ea199d4c

SHA512
d505ec68465d27511b0daef6e73e1146125f1095855cd6f5f6d319d9d51ba13328536967fc5abecf75904252520055bdd6979c29509e75c8004f645f2a34b3b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32d6393de114515afac9e861c4cb07ab

SHA1
05ac94f93417b873ecedc6f0fef4a31cedbda403

SHA256
a02844b5dcf4e37ef6f4f027915463038ac1823a894c50a8b8679b7b7af68a6c

SHA512
dc53c904422349157ec8fdf4c9b284840f94f26ea71a4a61f88a02769b88e28b8b5e213df11783de0f71f96fc73d75a5749b4ada634c322eee34b5c4f1fa7629

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4980.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstTheLatestFlashActiveX1.htm

Filesize
341B

MD5
421d7f9320aa0a92597c59c5d62bd7da

SHA1
3f36784e9ffb169db872bb75588e4a29e64e725e

SHA256
81e0dd5758a2c69fb4bceba1454c0dd719e41730c74326fb5a3a1434d2cd7ef0

SHA512
93dd82833333ff32352420b74524147fd887e5e8cde7bdc6a6ea69e162c01aaef384ccb2730747d92cf65c3e615e35ea8de12e9d6fe72120a509e1ece654e0ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A63.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Fonts\pk.bin

Filesize
8KB

MD5
d64910cd63430c6f24ceb2429af6f44c

SHA1
2282e14300a0f53843add1dd56a213a2eac3f249

SHA256
d8cb77b94dc8a07e275a1cdb2dd4afcf4dfda24feb797e662d2ccfaa700ce276

SHA512
f77cc7735e4ae85391a5703d59988402d56d8101cb57cd8a80e184cbc0c2f0ca7b5fcda6d579243f03e4d04ca6d6585309f15ba04ba32efa5e63541bab10a7dc

Download Submit
\Windows\Fonts\BPK.exe

Filesize
1.9MB

MD5
f33b409e595693b3d612574f9fefc0e8

SHA1
58d2790efa7a837de5d8a1532a9355c435610555

SHA256
d876ca6dfa0163a4b41eefe0e203cf922ed146dc379bbb67da76a26fd06306db

SHA512
e94d3187ea1123df34fe311e699693f047e5e47b160d34b2a7d69193ce649012715c89b6960d5cfdbf0cbbbb06964bbf435a8e7623d7d2af8341feccc2389993

Download Submit
\Windows\Fonts\FORYOU.scr

Filesize
1.2MB

MD5
89b18a9cecc1c6271cd3f30cca9a83e5

SHA1
31f7c613057914d7c099ad8910526a6c2ac7d04d

SHA256
65ff8787ac2d74faf24b46b27d1a79b1088764060ed7251f29374ec94272e761

SHA512
9ba37f168723e168ac3afaffcdbafa1e392aa8ae61a813a2d475de35108d160cb3dc8b607ca62559ed38372b54b9b73c42f003fbcf33d934415c15a36cce4b3e

Download Submit
memory/2148-510-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/2148-17-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/2528-516-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-998-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-514-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-515-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-512-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-1003-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-1002-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-1001-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-1000-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-26-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-513-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-35-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-999-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-511-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2528-997-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/2868-31-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/2868-20-0x0000000003C60000-0x0000000003D9E000-memory.dmp

Filesize
1.2MB

Download
memory/2868-14-0x00000000039F0000-0x0000000003BDD000-memory.dmp

Filesize
1.9MB

Download
memory/2868-0-0x0000000000400000-0x00000000007F4000-memory.dmp

Filesize
4.0MB

Download
memory/2868-1-0x00000000001B0000-0x00000000001B2000-memory.dmp

Filesize
8KB

Download
memory/2868-8-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2868-10-0x0000000003500000-0x0000000003510000-memory.dmp

Filesize
64KB

Download