26db5ce5c1b9d2fdf021eafe34c312ed1e7bd563d29436ef6f5fc759d6f97828

Analysis

max time kernel
124s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 20:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
Size

611KB
MD5

00ef4077bf8fb81b31ee73734f64d7de
SHA1

4e28167757ab5ff25813da015fcc2506f8d3e69c
SHA256

26db5ce5c1b9d2fdf021eafe34c312ed1e7bd563d29436ef6f5fc759d6f97828
SHA512

f784bdd0147dd8c9bef18d4bf7968dea52929750ad6a0b65db933acd93361b2dc8eacd21f5c89d5c6757198b310bfb8536a3b0862212b4917b8dd9a9c7e21a35
SSDEEP

12288:OmDslh3AU0/JmEl19IYrJO0DyYQ9FS+kS:OmbgE/793DzQH0S

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2816	wmpscfgs.exe
2680	wmpscfgs.exe
2448	wmpscfgs.exe
1520	wmpscfgs.exe

Loads dropped DLL 6 IoCs

pid	Process
2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
2816	wmpscfgs.exe
2816	wmpscfgs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Adobe_Reader = "c:\\users\\admin\\appdata\\local\\temp\\\\wmpscfgs.exe"	wmpscfgs.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
File created	\??\c:\program files (x86)\adobe\acrotray .exe	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
File created	C:\Program Files (x86)\259477461.dat	wmpscfgs.exe
File created	C:\Program Files (x86)\259477570.dat	wmpscfgs.exe
File created	\??\c:\program files (x86)\adobe\acrotray.exe	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
File created	\??\c:\program files (x86)\microsoft office\office14\bcssync.exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray .exe	wmpscfgs.exe
File opened for modification	\??\c:\program files (x86)\adobe\acrotray.exe	wmpscfgs.exe
File created	\??\c:\program files (x86)\internet explorer\wmpscfgs.exe	wmpscfgs.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpscfgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70c5a9427ee2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428505346"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B6FEB51-4E71-11EF-9EB8-6A2ECC9B5790} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd00000000020000000000106600000001000020000000dee531691f9c9674e87196ec21e57e4ffd119eb4c45ac79d4cf759eb7e83c16f000000000e8000000002000020000000d2c5383054bd5ec79828129e7bb507d4fdcde6af414d941a8ee146887f1517632000000040c8812a64e2f76386101b64082a49abae3b611fcddd6b1e63be9762467be544400000005df49e4bdc779602f39870f5ec9f83c4900748d9b48b57db40bc9ee85cfe2229ed46ef714a64f06f8ea71753d94d1a88ff6f148661d7b6b1af91d3fa0553f36e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000006ef97edc7511012bd089078048291ec2f0b04762af898019cff04bda0c6e4a4c000000000e800000000200002000000005b0ac4a6610583bd0603c688dd2ed19ca2034000c69b3bbb52cb770a4f5073b900000009b504c27c6257d744a174780b35913bb739659fd4b7ab1cc5700cd0ac62c3f7e5a9155353b44d46dbd298346716f3162cedd86d1b7e43c41efefcf6c70f98aafdc7180f13fe1489f4a5d2388d2907c03fd1998446c1602cbd85f409efb7c76aefec599a273eb464e696a9d0d07d41a763fe59f7a1ac1bac2d174c57833101634db668ce85766596203fbf119390f36fe400000008a871fa9aaa34e88751caf49a67e7c53a5134f814c4fb6718ad594e4a665375653483f699a4a8493e4486dfd3334fc55e4c2cc2b1caf879e99711ae30ec01929	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
2816	wmpscfgs.exe
2816	wmpscfgs.exe
2680	wmpscfgs.exe
2680	wmpscfgs.exe
2448	wmpscfgs.exe
1520	wmpscfgs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
Token: SeDebugPrivilege	2816	wmpscfgs.exe
Token: SeDebugPrivilege	2680	wmpscfgs.exe
Token: SeDebugPrivilege	2448	wmpscfgs.exe
Token: SeDebugPrivilege	1520	wmpscfgs.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2676	iexplore.exe
2676	iexplore.exe
2676	iexplore.exe
2676	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2676	iexplore.exe
2676	iexplore.exe
884	IEXPLORE.EXE
884	IEXPLORE.EXE
2676	iexplore.exe
2676	iexplore.exe
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE
2676	iexplore.exe
2676	iexplore.exe
884	IEXPLORE.EXE
884	IEXPLORE.EXE
2676	iexplore.exe
2676	iexplore.exe
884	IEXPLORE.EXE
884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2816	2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2816	2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2816	2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2816	2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe	30
PID 2648 wrote to memory of 2680	2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2680	2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2680	2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2680	2648	00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe	31
PID 2676 wrote to memory of 884	2676	iexplore.exe	33
PID 2676 wrote to memory of 884	2676	iexplore.exe	33
PID 2676 wrote to memory of 884	2676	iexplore.exe	33
PID 2676 wrote to memory of 884	2676	iexplore.exe	33
PID 2816 wrote to memory of 2448	2816	wmpscfgs.exe	35
PID 2816 wrote to memory of 2448	2816	wmpscfgs.exe	35
PID 2816 wrote to memory of 2448	2816	wmpscfgs.exe	35
PID 2816 wrote to memory of 2448	2816	wmpscfgs.exe	35
PID 2816 wrote to memory of 1520	2816	wmpscfgs.exe	36
PID 2816 wrote to memory of 1520	2816	wmpscfgs.exe	36
PID 2816 wrote to memory of 1520	2816	wmpscfgs.exe	36
PID 2816 wrote to memory of 1520	2816	wmpscfgs.exe	36
PID 2676 wrote to memory of 2000	2676	iexplore.exe	37
PID 2676 wrote to memory of 2000	2676	iexplore.exe	37
PID 2676 wrote to memory of 2000	2676	iexplore.exe	37
PID 2676 wrote to memory of 2000	2676	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00ef4077bf8fb81b31ee73734f64d7de_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648
- \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
  c:\users\admin\appdata\local\temp\\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - \??\c:\users\admin\appdata\local\temp\wmpscfgs.exe
    c:\users\admin\appdata\local\temp\\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  C:\Program Files (x86)\Internet Explorer\wmpscfgs.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:884
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2676 CREDAT:1913861 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9664b7f944b958086bd4a9f074e3c7db

SHA1
afd2f0c2a894bbe9357d2e379363db91f92b11bc

SHA256
76d6ecefd72f85f499b9cbf8e3d5b16f9bf4e8ddc24ad2b079188eb02ac7fba6

SHA512
c4a51dfefbeb51d73f776e75dd2065a76a48a80da7e7b78649e8e878dfab4bf2e77d0f3660f84f9872938ba4451d6490416adf961d851578e84317958a36ba88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4805ebc0acc737a70c1634687b91378

SHA1
ed5763e2d0c42d2e9fd565161b00f69a63e02e9c

SHA256
180213d5cb7f21f294e6ec62f26b20b27ad889f058dc1cf06d3dd2dd081b7265

SHA512
fcd1da08a475c2f3cbd120f6f11b737e40723a6011f9ad8876ca86e33043e71e689e4ed697261d208272dede886679395219a40a75e22e05f5a956c4c5b4849d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0877828d48b2bc0154320c72eddf5608

SHA1
8294dad199f24d7f2fb42b2cf9a45b1329a6a454

SHA256
ab9e92800effe8f8734cc9a25e1450ca8ef6b045a30056cd4606760de5f3d650

SHA512
70a7764be510341fafbf79c57704adcc3d27f20243f41fc77cd668020494f5f4aebc3dae408a0aa23b5b46b99831856831a5fb052a834819007fd6b4ba1488c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f388efc091d934b4a8b9dfd144c741b8

SHA1
8c89f2926e2690ee3280f11aab1bb72ed58695b1

SHA256
4aefd492ec5088800f6f257f6266d9ee39b9eefe8e5422541daec3bcadfdd086

SHA512
a0f9db7be74ca80b920ade4634399811e40f16874fd5fb5f6457be36b82b9cb1644b11993d6c86d6b2acc3583feaaf24c8f007d0b2e4667a3455333fc6eb506f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95e1af349346c98dee9a8dae6ab602bc

SHA1
bf90d0b28914fc7bda13c094bd6c09551730e34f

SHA256
a4c1254cafaf2f653b563bd05d9bf5a502afccb75ef113c7bba8f4de5d46f0a6

SHA512
0f04b959b3e31c5b8c5683ae89886ed3a0801949da1709e82d1b0333286f5a974b094a2c011aeeb154f2fb21c1816c5e9c30767901c2a9a8a4ab9f5e74919a54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7f5161c31531092104d6b2b16e2a80f

SHA1
c9cf326fee40244d465f80cf0db3c6f0a138ad21

SHA256
f9d5f88a7336f0be5b6188895dc745ee943f42e92e993ab567916fc97d0011d8

SHA512
ef114839b7a1a35111bed758f7345a05d067ce5acf9c6ea07508da683c1bb8634c57281b27fa6dbd839d64b233ce048c04d4089a55781712cddd955de4f5b0e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfc9448be52e1d79061aa2b6ef6338e5

SHA1
3bc1f4f43386a422446e9f5d9ef9fa61502ce330

SHA256
48755fce01cd29b5f0ebde1667fdf375503e502e8a18036d613dca9a245e9c2b

SHA512
9abc9a0826b8daf643e16ddb44f46594a98fcbdb64789da61227ccd945d01f999a5829c2cae41fff3e5f1ce99d3b1138daefe6de47206647a95b2a78bee46c6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8acf3c28524930d8e200c0bb29163b9e

SHA1
365da387eeda49f829a4d9cc551b1015cf1c4953

SHA256
523f40c9a7effab89d4f2b61c14c6f070a59f867e72b0da3bc2f732848e59896

SHA512
fc192c002f02e3b63556e6c13fc4d88f0c3d7640618f575570a48009d9e88dafc6e5abcb379c6768c2e404a5e4debde9872ae691bf7f6c0c8351cc91969cf527

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e56c0c5c7e0d1db982fce2710047f621

SHA1
06920dfa44ab47863a40918923a7cc867fe9867e

SHA256
5b5ca6b62a3139d11ad2f50a46bb9bbd63de29015e5bd052da6f048afaedf21a

SHA512
04f459343f55fc439ba21e656c514bf30886547312e4f92bfd4cc93ebdeaca8742d55a0fb05e8d1c4318a6cc734976d2ff7057d25b33cce69e2f2e961f150312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bac2313779b5ffc806c897a98f7359f0

SHA1
aabbc22e9d8104dcf0c13524d43d7c14b21e4fad

SHA256
9acce3938fa5e7826cf29a1ced41cb334606bc3de35556f9b8121c0db9348a74

SHA512
7ebdc6df92206b78d05d71a77a406476738758c71807fa18a2f6d4d5bce967a458c34d4186bc6ae884a3ffd519b7c077475d63393025261a9569c0a32406f5d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56c6629ab797e512ef9d9b828d02d1c0

SHA1
50d12417d755c0b5f7cf65658f0135e8da558b65

SHA256
6f66ce3630448cfd53cf94209eb21595287a7ace32a2fe8e289f41253feeb18e

SHA512
4dd80425ee9fda8e7901c01d26bd50c7bacf3db1b6bf496483e1435ecd209ea0a7028d85deadaee52cc8a40cd00943729c99b4ac1539c909fdcb731fd0d3549b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
752ba82cf87807cd044adcf9b4586e80

SHA1
77a3574f2f7a81fc347ca6348faf2ffa4262436e

SHA256
b7115e5a3b59de6fdf8f4d54c4f0a3c72d80eb6a451506e97df1b1b8b0cd3b15

SHA512
6ae1135381295c574377fcdabe0e231b5fc61bbb511a184a6786e565ff837d0f9654d848d5b16ae01adbaf0f53b7830588b7b232b2125f9fcb0ce06e2323153f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f8382507edee03de864563179955bba

SHA1
db940708d4420fa46f9baf0d52ab26f687682e6a

SHA256
6ca522d9d0ea6b2cd3ed947b1a23c9632f974ee97195060c49e6022af7e1c58a

SHA512
c47e0b8d400b7e410bb6c0fdce6e895fc764944711912a62463c0ad6286ad310ee5a2e82b44e0ea9b7d7620569948fa8c9303638d253c016ba198f3bee42ad90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d91382689f3d53e1b239f8ae304f3d7

SHA1
c47e59ba68a1a9e567986ef0d479e1e9cf3a64d8

SHA256
e2e09d9be145cf527c8e5af6d07ee21e167ca7fb3ea2437c6a0712b3a13ea6d8

SHA512
327a4a443a8bdd718405060268cbf0b44650126f6946edd424169773cfee60dc5680c74876d97d58c94a5a0544b9767cc955c6cb02988caefef0ead8e1e92383

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e31d14a03be5a32ab5be799469118e14

SHA1
b752acd8bb5b2ba28f496fcba5da4cf0f6d08294

SHA256
b495f56ce0f8f4c255c0dc55dd90ce820a2d2fc1594260899b8b9c54f2481819

SHA512
062e82d57150b41eda0272f61fbad52d796cb70b165f62ea56d52399ad4ea42fa0952e4433fdfe153ce34be8338dac2efcfb0b07a32b2f439b15af887daa9e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78d7fb2642645c74c82441a31083d3c1

SHA1
ba04418d1f5eceb8cbe9d900e80141945dc995a9

SHA256
dfe495c80cf4f3dd74941bd61590d30451b0377105ae05534cc11a7ccefcd886

SHA512
6a37f04269f9a2ba7d2d7155452ce39b2e107d597f80ae6bb824c502d3135d25a625abdbad9fd216eaa911bd27acc27b1e805283dd7ab0555ca23f4546e0c294

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e05250a50576cd5908e6ba3d9545983a

SHA1
8f493712af272aed9bb1b3ee2fcc8e8d1798d222

SHA256
d7d2c10824ca01843a248238044623c000bd7d7404f1330031d6863a4d0fb1f9

SHA512
a73cb1b4fd1a2f48d29449b4debc7b84f9d199da57dbb646885af7c93be7172717b3df500c550adcf0e936b5b048471653771c2beba158c0fbbadb0d165f192f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf000478546de56d505baf4ff8fa6f17

SHA1
ac114f43d1709d524b5218f054bae9ecb831cc07

SHA256
d419fd5e6721206db2593c4ac9e9f1652178afb3f64042cfbefef13160331921

SHA512
028525e2cfb40006817423d0df710cb4834f65a2e2d6401602e4aa4a1313390b630e06c1c196c31d1b86b968da9f78b0586e44e4ecf215dbc7143e0453cc2c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3e733171ebf4df28530a544264e3010

SHA1
928c52ac6de6de9d02cfa88afc0d5b1d68819bf8

SHA256
a821c920ede265128e8175aeeaee0a3b92ddadde3d134db552a822281035dad6

SHA512
a09da9c3960120e1639962feea3627ef92fa72c4fd06c89c6fb8723b04bdae05404caf4ecf8f34a758f86f403acab12ddf61a7421273eb3b86d301a54f0a9ea0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da1ca6c36139b221184aa9ac50a9da85

SHA1
868b91307f0dfa571a8f362a3ad2613b0c4fef57

SHA256
5cc72d7d0081f421c0d0710768dee0db5cd51884773f71f9d58255da9e7ed334

SHA512
23952a1f9c73e73b6fd1a4d7b32680a2350837bd548eef8674a6f66fe601fb19a673d6381fa33ced642e01e8c9934df99d11e90335aa84b9072128b8fe283cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6EEB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8EDD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpscfgs.exe

Filesize
631KB

MD5
d0b3423f9558e1f4857ea870ff5c5fc7

SHA1
565dadbd662106a5b07b1f70e30152ed4ac09ef3

SHA256
ae1b3ac19c78fd371d35786fb5b51c2e20d48afc9b684f20a36866f369c59471

SHA512
4b10cb322c2f0f07322b43740e3045367e3cd84b98675679b0a65ae5656f73d284784ce65fd11e13b05f2eca374d743717f47148fbb1e19aedd2bb2630f3b1de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MS4CS6A2.txt

Filesize
107B

MD5
618b3ae3ba29fc3ecbe44671a232aae9

SHA1
fa48512a131117f3104ee22255f2a54557466607

SHA256
9a7e24f98f317153f5d15cde3843295376fcbc9664c0aa8b09aba0369c4279e9

SHA512
3e38050f515dd1c0e91fa44f3fe027d8bfd8eab86aae3ec612b23e3966a81bd3bfdf352656c5663600c95883ac15280b6bbb4603e692f1d5e4e202d354442ab3

Download Submit
\??\c:\program files (x86)\adobe\acrotray .exe

Filesize
644KB

MD5
20339ae81dda94832ad675d6a2790f53

SHA1
e0f0e6bfaadc8d36a3d88ba223d37a0c8264d269

SHA256
2cb8337bef4ee3242007aa16f963e8628ab81707293594761397547ebf7bfc88

SHA512
3ea34f7889a13f96fbf1e52855ee52fc62a3c290014b4692ae40007c72e5ac10399086605197d6892ad2386b8ddbcdea3cc6a928d2e943e1c7369e449efa642b

Download Submit
\??\c:\program files (x86)\adobe\acrotray.exe

Filesize
637KB

MD5
caf540c5a9445d5d9454d4b02d6e35b8

SHA1
4aa6d9a4b7955bee154e9eed4517cc530c84f091

SHA256
f0ddb853c948e31ff78da0a4b55e1a7c1504f6cea5a61a4d19295942c5cdbf96

SHA512
66b5ad076e8b068ae95807773863df532893df30e94847c63b45045edd840534bc6d9e4627cd90e7a961f5a7674a738f2c4ab404f1bd9d492940106ba5dc4f8b

Download Submit
\??\c:\program files (x86)\microsoft office\office14\bcssync.exe

Filesize
613KB

MD5
df626f8aa63570a430fe2ab18498072b

SHA1
25eab9bd6d999ba4bf71fd60da6f9d17e4b415b2

SHA256
5f96a974a2b1da40785c42cf4a245f4c41b74b7ac9710175fe24bd6116607459

SHA512
99705693de4989b44a94cef0e14ee736a3627342a63b62c5f9ff4dac102ceea5484d493cf9354a5bcf89dadb7c120c75964eae0a8d104652bb0ef24441853d23

Download Submit
\Program Files (x86)\Internet Explorer\wmpscfgs.exe

Filesize
637KB

MD5
708060a181e79c5803640809da731556

SHA1
939d6be99c4cc7f840a970686918c1881905f3df

SHA256
3036e87178a8e0b63f6484fcf0a7cf5d7179c087cc7ff5967ff164ccc248b167

SHA512
c03b06197bf49a91568cdd3daef5a00dfeccd8d080a7fe7601b624983bd323450f43a98778d31daa2336994003d32a3e8957333243612d8230cca94dbed377f6

Download Submit
memory/2648-1-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2680-35-0x0000000000470000-0x0000000000472000-memory.dmp

Filesize
8KB

Download
memory/2816-22-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2816-50-0x0000000000570000-0x0000000000572000-memory.dmp

Filesize
8KB

Download