5a5e8e6cc40fe8995989ee9166d7c3415e293620ddd890c4a515d7458e3233f0

Analysis

max time kernel
143s
max time network
146s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
Size

386KB
MD5

857f5e06e474e0527e33689b002bc4f1
SHA1

b3f9eb9ee306489a2189ba1488307214ec6e0400
SHA256

5a5e8e6cc40fe8995989ee9166d7c3415e293620ddd890c4a515d7458e3233f0
SHA512

5ecba9f3c8a57d11e13301a11902493d81f2bc4ed4f43a7fbc93d2620b6b021bef0dcde121d7e75e33cb7775faf8cdab4fc0e3098edbcb8248b52bf2af2b4762
SSDEEP

6144:fZLZ051ZLZ051ZLZ05aZ051Z8Z8ZLZ051ZLZ051Za:fNaNaNBa22NaNa0

Score

8^/10

discovery upx

Malware Config

Signatures

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	exc.exe
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	exc.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	exc.exe
File created	C:\WINDOWS\SysWOW64\drivers\wimmount.sys	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wintrust.dll	exc.exe

Executes dropped EXE 1 IoCs

pid	Process
2400	exc.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2028-1-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x000100000000e664-15.dat	upx
behavioral1/files/0x000100000000928e-67.dat	upx
behavioral1/files/0x00020000000057fe-75.dat	upx
behavioral1/files/0x0002000000005801-81.dat	upx
behavioral1/files/0x0002000000005807-91.dat	upx
behavioral1/files/0x0002000000005805-88.dat	upx
behavioral1/files/0x0002000000005804-85.dat	upx
behavioral1/files/0x0003000000005757-111.dat	upx
behavioral1/files/0x000300000000575d-116.dat	upx
behavioral1/files/0x000300000000575e-120.dat	upx
behavioral1/files/0x0002000000005a21-139.dat	upx
behavioral1/files/0x0002000000005a2f-150.dat	upx
behavioral1/files/0x0002000000008ade-174.dat	upx
behavioral1/files/0x0002000000008adf-177.dat	upx
behavioral1/files/0x0002000000008ae0-180.dat	upx
behavioral1/files/0x0002000000005815-185.dat	upx
behavioral1/files/0x0002000000005816-189.dat	upx
behavioral1/files/0x0003000000005772-193.dat	upx
behavioral1/files/0x0003000000005778-197.dat	upx
behavioral1/files/0x0002000000005a3c-201.dat	upx
behavioral1/files/0x0002000000005a3d-205.dat	upx
behavioral1/files/0x0002000000008ae1-209.dat	upx
behavioral1/files/0x0002000000008ae2-213.dat	upx
behavioral1/files/0x0001000000006415-256.dat	upx
behavioral1/files/0x0001000000006419-260.dat	upx
behavioral1/files/0x000100000000641f-264.dat	upx
behavioral1/files/0x0001000000006423-268.dat	upx
behavioral1/files/0x000100000000f22b-272.dat	upx
behavioral1/files/0x0003000000008517-288.dat	upx
behavioral1/files/0x0002000000005823-292.dat	upx
behavioral1/files/0x000300000000577f-296.dat	upx
behavioral1/files/0x0003000000008518-302.dat	upx
behavioral1/files/0x000300000000599a-299.dat	upx
behavioral1/files/0x0003000000008519-306.dat	upx
behavioral1/memory/2028-312-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0001000000003e80-319.dat	upx
behavioral1/memory/2028-604-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2028-2428-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2028-3071-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2028-3551-0x0000000000400000-0x000000000040A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\comsnap.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\vbscript.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc140deu.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\PeerDistSh.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\rasphone.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\EhStorAPI.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc140cht.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\kbdlk41a.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\scrnsave.scr	exc.exe
File created	C:\WINDOWS\SysWOW64\untfs.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ActionCenterCPL.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\capiprovider.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\TapiSysprep.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\bcrypt.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\msidntld.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\iccvid.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\iologmsg.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\mfdvdec.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\syskey.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\winusb.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\CertPolEng.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dxdiagn.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\csrr.rs	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\l2nacp.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\security.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-core-synch-l1-2-0.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\cca.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\sort.exe	exc.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc120fra.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\RegCtrl.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\odbcconf.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\RpcRtRemote.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\TimeDateMUICallback.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\comctl32.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\msjtes40.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\SortWindows6Compat.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\sqmapi.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\TsWpfWrp.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\api-ms-win-core-processthreads-l1-1-1.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\ksuser.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NapiNSP.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\xolehlp.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\deskmon.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\hh.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mswstr10.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\NlsLexicons000d.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ctfmon.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\KBDGAE.DLL	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\feclient.dll	exc.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc110ita.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\upnpcont.exe	exc.exe
File created	C:\WINDOWS\SysWOW64\authz.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\C_1256.NLS	exc.exe
File created	C:\WINDOWS\SysWOW64\ieui.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc110chs.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mprdim.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msvcrt.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\atmfd.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\fphc.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc120ita.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\vbajet32.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\atmlib.dll	exc.exe
File created	C:\WINDOWS\SysWOW64\ifsutilx.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDLAO.DLL	exc.exe

Drops file in Windows directory 52 IoCs

description	ioc	Process
File created	C:\WINDOWS\twunk_32.exe	exc.exe
File created	C:\WINDOWS\write.exe	exc.exe
File created	C:\WINDOWS\HelpPane.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\notepad.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\explorer.exe	exc.exe
File created	C:\WINDOWS\fveupdate.exe	exc.exe
File created	C:\WINDOWS\twain.dll	exc.exe
File opened for modification	C:\WINDOWS\setupact.log	exc.exe
File created	C:\WINDOWS\splwow64.exe	exc.exe
File opened for modification	C:\WINDOWS\setuperr.log	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\twain.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\WMSysPr9.prx	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system.ini	exc.exe
File opened for modification	C:\WINDOWS\Ultimate.xml	exc.exe
File created	C:\WINDOWS\bfsvc.exe	exc.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	exc.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	exc.exe
File created	C:\WINDOWS\explorer.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\fveupdate.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\msdfmap.ini	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system.ini	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\winhlp32.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\setuperr.log	exc.exe
File created	C:\WINDOWS\twunk_16.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\twunk_32.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\winhlp32.exe	exc.exe
File created	C:\WINDOWS\mib.bin	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\notepad.exe	exc.exe
File opened for modification	C:\WINDOWS\win.ini	exc.exe
File opened for modification	C:\WINDOWS\setupact.log	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\win.ini	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	exc.exe
File created	C:\WINDOWS\hh.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\write.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\PFRO.log	exc.exe
File opened for modification	C:\WINDOWS\Starter.xml	exc.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\TSSysprep.log	exc.exe
File created	C:\WINDOWS\HelpPane.exe	exc.exe
File created	C:\WINDOWS\WMSysPr9.prx	exc.exe
File created	C:\WINDOWS\splwow64.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Starter.xml	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\hh.exe	exc.exe
File created	C:\WINDOWS\mib.bin	exc.exe
File created	C:\WINDOWS\bfsvc.exe	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\PFRO.log	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\twain_32.dll	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
File created	C:\WINDOWS\twain_32.dll	exc.exe
File created	C:\WINDOWS\twunk_16.exe	exc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "255"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "290"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "233"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "8"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "118"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "8"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "255"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AFDC4271-56F6-11EF-A24E-4E15D54E5731} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "251"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "290"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\Total = "347"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "233"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\avira.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0087ab8903ebda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429442166"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.avira.com\ = "100"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
468	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1500	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	1500	IEXPLORE.EXE
Token: 33	836	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	836	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2972	iexplore.exe
468	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2972	iexplore.exe
2972	iexplore.exe
836	IEXPLORE.EXE
836	IEXPLORE.EXE
468	iexplore.exe
468	iexplore.exe
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE
2504	IEXPLORE.EXE
2504	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE
2996	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2400	2028	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2400	2028	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2400	2028	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2400	2028	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2972	2028	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe	31
PID 2028 wrote to memory of 2972	2028	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe	31
PID 2028 wrote to memory of 2972	2028	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe	31
PID 2028 wrote to memory of 2972	2028	857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe	31
PID 2400 wrote to memory of 468	2400	exc.exe	32
PID 2400 wrote to memory of 468	2400	exc.exe	32
PID 2400 wrote to memory of 468	2400	exc.exe	32
PID 2400 wrote to memory of 468	2400	exc.exe	32
PID 2972 wrote to memory of 836	2972	iexplore.exe	33
PID 2972 wrote to memory of 836	2972	iexplore.exe	33
PID 2972 wrote to memory of 836	2972	iexplore.exe	33
PID 2972 wrote to memory of 836	2972	iexplore.exe	33
PID 468 wrote to memory of 1500	468	iexplore.exe	34
PID 468 wrote to memory of 1500	468	iexplore.exe	34
PID 468 wrote to memory of 1500	468	iexplore.exe	34
PID 468 wrote to memory of 1500	468	iexplore.exe	34
PID 468 wrote to memory of 2504	468	iexplore.exe	36
PID 468 wrote to memory of 2504	468	iexplore.exe	36
PID 468 wrote to memory of 2504	468	iexplore.exe	36
PID 468 wrote to memory of 2504	468	iexplore.exe	36
PID 468 wrote to memory of 2996	468	iexplore.exe	37
PID 468 wrote to memory of 2996	468	iexplore.exe	37
PID 468 wrote to memory of 2996	468	iexplore.exe	37
PID 468 wrote to memory of 2996	468	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\857f5e06e474e0527e33689b002bc4f1_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028
- C:\exc.exe
  "C:\exc.exe"
  2⤵
  - Drops file in Drivers directory
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:468
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:468 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1500
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:468 CREDAT:1192976 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2504
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:468 CREDAT:537630 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2996
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.freeav.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2972 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
3a91d57d7179e7e7d47211e33a8139c7

SHA1
7e6d149bc0e8f52a4bb95569a0cc3087d30dfb22

SHA256
bf9847ea31aa673066be8b88b3e2f50b7d3dad19bdc2d270aa383a5056e8f4b4

SHA512
762e8c27826f49e11be1d48f903a0309069b7f876ae8942a1973ef6e41a87a30094b8995ef3fe101d8610039bbcbab81628ee063854e88b67c4f575a09d41dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
65338c01f73f4cf8f9a52975597a2176

SHA1
f06cf71348106db63c8092b056887975778f1859

SHA256
03f04ba04eed9d84d924de82f0da38da3ce34ae9c604c09d87405b268ad673f9

SHA512
ba191c9c891f9f470ac633cfed8869511fb128cf63c1889109cc424da77f18c949e29cdcb823ed4549e47a98ae98d458a3117fdade9afd2df6e6b995b7c75a70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1d1c5fae74d542b6fe252f8ac1e09564

SHA1
d88bb0b4a642d58f56c2cdf0fe058c5fac2ad5cc

SHA256
a6d6fb6c715e2f54608d2a4d1c36c54280bd69776c5e7fbe5b9810cca81b3b45

SHA512
8db57afc443df7363cbf47683aea9df36f46b0e8847ac608aa79d4c181ac7954663342ac056a547cad535b64b0ae1581c1705edfbfe73e6c8f47886a8cab52e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
796bc1190f4006185b787aae668cfd0a

SHA1
5b8da54421202b76d02ba2a4e6c125b43436469d

SHA256
90f0e515c9101e49b15133ca1b42bc789dae7c6c6721f8abd56ab75f26737cde

SHA512
09f8f845c49e9b11a071e92ee4635ea5bd03dcb91095fdd4c7186757636bc32552c9dcd2dccb006f560797ad3db38ae552096fd6bb4870d20cfed84e30d42290

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b5e6d5df380b5933fea4542530e15078

SHA1
a41208ffcb8ac490cf950e074da5e15b0a6fad05

SHA256
c866aeae0655ac449761a1516b53796677ae9725f620b4609ff256944acf06d0

SHA512
30833b21a796c76ee1c9b15224968da071994b613e9b3a4b08628f6755a4f47f1b5c1f313ba9b30caac7bbb8033ec3a367dac7ca949d93d01252d4b94b71c3d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e50ec0de2c47fb23d54cdb11de945d3c

SHA1
343b0cd74c12da7626c097afe879406e8e20a38e

SHA256
c417ed2e0364c92b8648aa483861b4e67d6a210cadb0daaf4c13a3eb608c65c3

SHA512
6f0478ef5430585a8b4be7b7d3eaff7aab96be909657f6975e2c5625e6054c6fe21b8f7dd5ab2e640dc71f94c960685f78e6faeacbdb972b6c491ab913de79ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
77eed86c27bfad752164f2b0d1eb3db9

SHA1
c1498365880b0ed057f6381a585ae6619ee98dae

SHA256
c9b464e93a3b07f6721b2e74b9dd1855410cf14015772e06f0bef79c7904db26

SHA512
2237a9eab69c7325723b14cffc283ce034fe9171d689329017044b975106fce1b82553614daedcc884a35f1a17d226b2fb4aa2534193fa9691eca5dc3cf6aec8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
94dd4d862b70533274a70c0f3e2d1cbd

SHA1
f0bf108ebf2c3a89f3650354bbe06b74f6c075f2

SHA256
031d9536d24705a98ac74c7e2ec6ef86175d49b523cfd0db3a84a30733f9ad6c

SHA512
c765ae1f7424b02d557dbb87bac6ee80250a7cde642737119f01f2724e71556054642b9c0aec60fb14c746b0cae82976141d342fac58dab51198973900ffffe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
35455c85b57d049599e1731255862fe5

SHA1
f33dfa92b310c78ecc380c7eadb574533e23b3ae

SHA256
c03da786c8b0c7e3d59445a8d8774be58885705490c000ba3c9ca523f34f74ad

SHA512
7d65f54ca47b801e0592e613e355449dd255f3e06184ac420c4e4f00ed733cd12b189371aaea34b3fe81e68620db9114efd2fea51c47cb30f577d9ae132f8b59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
4bcee6846abb52274320415648042914

SHA1
73cfc2a601b96f500b934f96901a49eb83feb7d2

SHA256
32133390fa28ae6534eb5a9c53860985bc8df66c8296e035bebedb00f71a345a

SHA512
9654d17b6cae75da88cf1fc30e9c6476fad9bec5ddc4643ad57533d3061d03205bbfc7803f9b7c9c6a1b8057e0bbd617ea4a8d6e54e7a2d4af42c3089ff6ce4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3725f14e0243bac8aa121ccf887ad98a

SHA1
9253cc0b12a49f8fa7c0c7dcbc41a49b351e39d6

SHA256
b9e34a6b11c388bc5f9f26d9355c7c45b9a05a46a1018a22654bb7de7d437333

SHA512
0c1812d1f6af155de1d01f6ebf491fe64bd17175bc1da5bb849f2cf6139e3720f4e9fef41604eda680d5a7321fb8ffd4f98e19ca36c30861f37b7ef4921665c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a04de59e37deaf42c1b58d0295359cf1

SHA1
146361145ce1121ae2804bea712317ea95616523

SHA256
1f2ef6c2ddfed23e196eb1f8f20b4bc45671aaca8ac20b773e213600d2c01315

SHA512
5fac5fedd415101c46ff7792f5ad530273ee0716215e2898846fc44d98d8c5650057d3b3bb3ca39ce9af3c35d32f0e99f14e69c8a10103f513f93dc475b38a29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7a4392f06b3c7bf3b38f90eee94191b1

SHA1
8a916fbd2becd62b91903a3524da2ef22ec81045

SHA256
f2cb1823f55d6a6d33609832384198d761acb2f9b730edf1219e1185bc4ead11

SHA512
6b19214aa85c7143f468d0f2412f78d150b920d7afbb271db1a7cdbdaaa19f1edadedf18432cc5d2d252502d95d88fcc7081e817ced0e3ad29595b825da2c2dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a04785e74e906e45ec7e7c858b05c603

SHA1
880e8aca350e053fdf7f68063f8e11910d505a11

SHA256
2c57fbe8c4a8e601fd71a1919fbc0c13b6af70e2952778850c63d8399cc58b38

SHA512
ff40c9e90adf630bec2db9a1c9cf86b693c610dd8c11d0f41fb740115427f74e9f5794086752b2cfdd0f62779b9386f3566b3ab82f53d9b3bbd6fe3038a20364

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
06e0f7e4ee4405fb04bdaaf397cf56d5

SHA1
f09ebb74dcf53ab02198caa86e069fbb82aac5f7

SHA256
b3f892d9cfa3598d423ede62b792422ea40a5a7472173029fc03427bbd76184a

SHA512
140bd06f2794bdca0d9ad46e2cca9b6b091fa4046d79885eac153b2e9b2e7e21ef98cfffeb0e0d1f1c8d2c3ae67b627eb53227af913d30ffe7e1b0a10645e5f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
befcd881ab1ad3e9de3d2a3371eb6759

SHA1
ab33a977c316953adb625e0c08a982a2812fd0ea

SHA256
f3a9c2e1b7d8c6f89d363462548022fbf6fd41663dcc2b4baa209b6fdb11f025

SHA512
15641c200a6f67b56d5265c2c8d8deaed977b703fc7a5c089c038216c1f54324ac7bfd665887c4a0842a22d109bfd6fcc4b1f883a9b35adbb54e68eff6383812

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1e583a277aae898bf7f30953966644ec

SHA1
7e7f8709f29e0030e583f4515cdcb38a62af3e2b

SHA256
36c3ce948a7bee294ae85a16120464710893819ea40407b9e8279584e881042c

SHA512
7ddbda90f0a6e468f8e3fd23ff6f85e25f998c5c151e181e73086249dce5d13827b2a546f541655a7e674c1ff7295a2913b751ce34bce7496aa87a7f0eae6b3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
a5d2f5b51f74a68dc5719b6f924e5090

SHA1
d832e30b513b9edc1fd33d98ba658ab51be20366

SHA256
4fa9ccd693ecfbb4622d7af64f9cbae316c605afe63c1b08f5e652088a4d137e

SHA512
a03f1482a6a640f3777c6a914dd3db614df871d7df2525f75bb4dbc283f2a75d874d92f3265f27a37dc6188bc7b981037e5f4ee424ed723a2ee14b2ea4663a52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5d3b9b61d42654b4d03e6f3a60370098

SHA1
c6ce21cb2fa487cf5ca2a6a5b636d30edabde7be

SHA256
737515a793600cd6233b8fb162b834298df088b72568cf5e5ec4fc97addf3986

SHA512
eb4c0146ea01e5d975c919eab1ebe7f60ce3d97ace948f2941d7aefa43eaa00c1b9dd905c9924c16eacbf18974113964845236e9fab03917ecb49e6f5147a68a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7a706cc521e6da61c6246e05fa2d4690

SHA1
81d81c9c30506956106b76e65c50688fe87e4bc5

SHA256
3eda73a36b57a05ce0b7670270490f2f570b89878357bbfe11c5ae50a01fb709

SHA512
a9f80b5c5613cca78d3ec70888f47930e3673f13b2d32a52c34a27fc76719928503e7c9ff7ed692beb66806e7968cd0e070679b0111fc4c805b5bc1269af265a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c83b75b48e0eefe18834d4946c4c9df8

SHA1
dc988bca621816760b3dd200b6a9e2d2f05671bc

SHA256
a01a63c7da42934b370b82b920d705b4d4c3d901ba0bd38968d69bd444900f01

SHA512
6b2d20b27ef442f37284252cb19ba3ff0a2b19816ba6e7e15d0d6f404f8b0dd1ddff0f47732c09b14473187240d8c18d7a9a5125c67b21328f5cfad03d3896ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c3b62c18280e8ccdc8206ef044df2d69

SHA1
6c769675fe0e69f577dbe3a300d324df8536f3c0

SHA256
20f488db6b995318c3faf4edbbab4bd7b10526ebb57f711b55ec180854620e9f

SHA512
b41e742f661fea694786456dc4ea8a09d3b42b48c0dc077417b64c292121ff95a01af5b59188a2db6ea361953c5e89a47ddf3426f96a7771c02141776f8d15d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2976474d7cf22952a8bd2624bc51fe86

SHA1
eb061270a720281c07a6770ded60d7fc32d044ac

SHA256
5e51b3e209b74b6871c2b8afefdcd1ce94256be33c587b3b7660e897f4e8537a

SHA512
e79d00de9f0d2179418f42e8873f7cc12c95f5bceb33e1201bcbfa7be96e551f9aaab93bb0559ed49728ac74fe554850a69ca386a0377191a370f4cb5dced079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e9351194915c7e84967f306ae1d76160

SHA1
55682f5c9b1a9e5afcd6800bc6b0cc9cadc746e4

SHA256
82a497a7309c6d25c7447ecc6039fe013ca8e12638953d94a2c494e7ff6a76fd

SHA512
5985fb31485ae0c45254e684f375f0f6d048f69fc52ed2991073f9808dd6a5ba0f4674fadbe0480f4c8d213f03fb9452085c998c716f8c53fe51028d66f93ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\P4T1IK6X\www.avira[1].xml

Filesize
437B

MD5
abeeeac663acc1192a7189b504262ffd

SHA1
832025570e26043ae05455d72bdd392cf4106b7f

SHA256
985761c994051af7e2be09d745a9eb0019dc556abd4092d115bb2ce5df4e49cb

SHA512
2ed891440139ca664daac8a56e1bfbb4abf0e2afb170dbe9d78cc5a3982074487fa2f93b25e26959daa61a378e9315af792ce93707b3f6deea741977254dd371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\P4T1IK6X\www.avira[1].xml

Filesize
437B

MD5
b6235f15b8908e2e7b8d5a28e9371310

SHA1
ab5be2bf5aef853f3864d33c8afeaa1ee133a383

SHA256
be77f1a6d9e64e7a4c14637d98f9db2d9b35dd7c4fa99b32890725676023718f

SHA512
4605c2d30c96c39551e2b8c294dcd4970ada87b9fbee757ceda1baca8a9e00ceccf1d7e01faff1601f62fe3a90a5221d1cee350ed62e9051c2662ee74d97f126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\P4T1IK6X\www.avira[1].xml

Filesize
437B

MD5
ce5f9ef3abad71105b4b94291586a5dc

SHA1
99c85d5d77faff7fdf305e642cd4ce53be014920

SHA256
f9293ba838e59f5e151e97f9dd1d0322a908a6ac2edba2cee0ef98450b893641

SHA512
00950d035512340fe10705c0be59a85436e6550c7fc578930c4ab1affc7be6d2d26782fc5778069c81e50f0155be2659f8f73c6a12ff46de17380951f4ca1707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\favicon-32x32[1].png

Filesize
1KB

MD5
13e4a579c3cfa586f665ecd794e0462c

SHA1
b629b7170f76734c495630191e665b6a88024268

SHA256
a961b4999fbb3ea58527df10b36cfd5c6ac7cf9fd12a0ecede32a8f7f48fec30

SHA512
813d424cb854ecda3bd1cb73e87af2e1072364e5e6345e2a7ff0c93cdac34628146786f1f5fbfa869b95d72ff0071414af13c4453545e76b3f627c1343cbdc8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\gtm[1].js

Filesize
288KB

MD5
248af3e8c41291ee85f6d8d21020c70b

SHA1
f3dbfeae476ba940f2993f379743c4edfde478a0

SHA256
71a9199589a803b2c8d0158663b2476b1ccf680d170be41a84aaf92cb1fb52e1

SHA512
69e7042bf9c940b78cc67a8c4bd904f44496508514bf26bb7d3f114a32518659f38eae7b472eeed36d5004c91704a7e13caf33c1e33caf33c96c7e675b37f1d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2LF9I1AK\ouibounce_min[1].js

Filesize
1KB

MD5
0067986dd93b7869e9dd229ff44251ac

SHA1
3e89404238b959ac1d3c113b21cde64ac95ad267

SHA256
b74c3b8c5f786bcc4aa29f55ca0b178a0e2b5fcc6da3057a121bececc1b572ea

SHA512
dd84f6d85c350145b8237c30ee644e53195e5ff5a11d8d6e87a65b58be5b472a8335cf1413c5107f8a2d4e272ab69cd711e49ad82b77699ffc8298d572ccfd2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\9F3DH-WHDX9-7CG66-F4G3J-99FEC[1].js

Filesize
140KB

MD5
b1290dfc24cf0fa7fc8086f1b9dd99a3

SHA1
9e3ff4c4b46853c46fb8f6bfa46939b92b1bcbb4

SHA256
b38b56cc66465707f7a28c32aaa60859276bf30d268eb6d3a90a02bfb6d74ba2

SHA512
f3fad1e09005557fa72fc402fd3024c15350a5c30a3532989253cd4e9d1523719b7c7c6a5ee673a2b86b61519c7e3e73febfad60527f9774f59ea60feb7288b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4MP1SLKR\OtAutoBlock[1].js

Filesize
5KB

MD5
d20dd37c0551ffb1ddbf07bb14eb8673

SHA1
ef2d7f3f351d4f066b9b114e45ddd1fff86e9da9

SHA256
2dac11b6349b6fbbefe783a2cea3f35e8a9f2bd7e88a786874c0928700a9ac70

SHA512
5504c2067982eb19c8e4aa929171d3b4d2dd88eb059fa4716b83f81e72fa67e445868a6c4715276c4289c931ba9366cec4f839cfdd4990c4caba76f16628b6f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4UQ4J2DQ\gtm[3].js

Filesize
369KB

MD5
070e285598f3da7a4ee189cfc130b3d7

SHA1
7dc58e6129e352105673fa147820f88451c48ba1

SHA256
9fee0faecd66de1c2dd30927ab1387db972dfab0211156bee45ca74b215355d9

SHA512
26ef033cda4eb64631cac5820bc75318d04e849d8713fad6218ea5be5ae7f4b90947a2947ed442f9e7c8f9b64cc02e888f7cf45745d3b0d7fdc802c0330e038c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4UQ4J2DQ\otSDKStub[1].js

Filesize
20KB

MD5
cb08de8cd375c576ed0391912effd122

SHA1
921977c317f1a06373f63a26a35dda99f1af9838

SHA256
1505aa0792421f831935f4761a95f31462a3dd097c8bd00ad8e9c765c8065517

SHA512
63191331a5c4f5a6c9bc13ee9b9eb4b50dfdae38235974ee2183903c8167a8303088b3631708f09f7c5aea15bd202254fd799bbdc0965ce5ad3f088915c66b54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8804.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar894F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\WINDOWS\DtcInstall.log

Filesize
57KB

MD5
f89a16dc32e27bd406e4e65e92ce6f3d

SHA1
9c1a54b1414bed8d120f6cde1075d51444331aa8

SHA256
4af64aabb88a8ca55b7e20726e2a4a1d115dc42f10de28703e05d8c92b996159

SHA512
5515a1c18f5f52ade2881045f8d806feccca7d1b5cea4fb80a0c9b899940b32c3a3ac78cda69dd6009204f7d72987e0a847270c781379e6daf7ed7a876080018

Download Submit
C:\WINDOWS\DtcInstall.log

Filesize
28KB

MD5
cba392411f809bb87a0323860891dc1d

SHA1
8dff8509f65e7493abb920523a9a278dbc04d7ba

SHA256
db2ee68781b4241de93997728ef459dd2319e7d382719f950ec3f3da3bb04836

SHA512
7ab11a8e9b036cc45e90f94650a741db6242bec72d55bf7d125af4218d1df59c4f61e0e66c34777fe1502ea183ed22217d51e2f510c2e718cf26c7be27fd58d0

Download Submit
C:\WINDOWS\DtcInstall.log

Filesize
51KB

MD5
a1af2860047b2198c215acc482a9d4ff

SHA1
ea9b6f2b7760a192913959f8983e0d7d568845ff

SHA256
aa79dfe7327d2afa4b5dde9dcbfbdb87ba81e37b69f3b76150a91f532e830a6f

SHA512
fddd1e1b419a80cc00c77e84e25c84d116d5db1e00fe8e13b565391b382568bb9a7b3f1078c31c2e360983bf3f856f8c5109fc6931e71978556f1f7c82e77a19

Download Submit
C:\WINDOWS\PFRO.log

Filesize
60KB

MD5
9de061e704c2bba16944842a5c5c34c9

SHA1
2bd8445a0234dabd00789b05a5847c14968d79c2

SHA256
a82604792692971bae9c1485ea9fffe83ff9dae45e4e0d2715a41e012d926a09

SHA512
14e4b07b1e4c4a35e73dc2bc99fbaa78cb7f53d034e2af39801ab438e5630fc081a771d51b945628dba5fd751293d9071f995d1b10129f48721c124ac84f5a1d

Download Submit
C:\WINDOWS\PFRO.log

Filesize
115KB

MD5
e8efa58096b7e15441da2ee6d1fa2641

SHA1
78bef0826c040bf5800480314d3d57244a4cbad7

SHA256
e5cbb6118c4d75af3c309a2f5a97f805ceb1c06774d421271e575366ee96e346

SHA512
c3807396877f2a6a7912de918d449b0b2950570475ae9b02a058e9b692b71527615acccf7f95f9b1ccb1e16af7ef4bd2e74c0c1cece336f16d1868bd18fdb561

Download Submit
C:\WINDOWS\Starter.xml

Filesize
102KB

MD5
569ce6cdc0c4c6dc58ce9fdab45a2fa7

SHA1
b084ddaefd6c68a6de851ebc4ffff3ce6c6923af

SHA256
e7b837ceecfab43459a276d89bbce95a6236d63d8936f28e710591fae41e83f5

SHA512
98446403450529bd563bd5084ee623f16824664b5093baaff7c4ba8b501a67a1f9762766a93c63c600839425ed3c121525b3623eb86b5ccfe9f9559b40c65b12

Download Submit
C:\WINDOWS\Starter.xml

Filesize
157KB

MD5
88b2b20775471b395f94654e69c48dd5

SHA1
2d8ffb268fb597a4c2b23bebe73b6c26ebc2ed7f

SHA256
360df5b522ee6b2422784d92e83d26b52eb88664856221c4671bf3441f81f879

SHA512
d54f5371446590cb833190e367ddcb39440ce6d64e2cf4648ced23d8538d4eacbdb0220ff0da7db9e0bed69ae41a5642b959dd1c4dc15cdda0a4612062034f13

Download Submit
C:\WINDOWS\SysWOW64\NOISE.CHS

Filesize
56KB

MD5
8d5792cac862f5fcc84bf0f64b4d5e94

SHA1
1070a834b3830290be5aa7dbe262bf76f5b7ffa0

SHA256
3bccd18d743f5ffc4e06d03a3dabd577923d3f20a87a2b4a9f445da44032a6f2

SHA512
d492486d8863a81e0037d2402be4ee9d70609541aa71c91aeeda8c848c125ff82a5cc91401a79b0de1da8fff1a493dc3b09f23d255a141ff6f2edfb0c752667f

Download Submit
C:\WINDOWS\SysWOW64\NOISE.CHT

Filesize
29KB

MD5
40c48dc4cdda1b34ad55703a91e9ff39

SHA1
9b9c2bc7367ee474a0c801fda755523c5e635034

SHA256
5522759f4e242b7e51f132104227950000ed9029df5ab90159b535f021045b32

SHA512
a95a71dbed2c1f318c61605d2f672889c655ece2a5f32babbbda5503261a82cf4083c0e4cb4350863cd3fc27bd240e59457b9fa4f2c8a6ffa4768699a570c72b

Download Submit
C:\WINDOWS\SysWOW64\NOISE.DAT

Filesize
28KB

MD5
d2119494e071941aaca4f4facec050c8

SHA1
e17f273c5bfb088be0311565be4e0ae14ade0286

SHA256
671fb36cce97fd9134fabd486f8238a3db394c5eb42da7ae2b2cc2dcfd95a4c3

SHA512
21b1296efb957b6ec648a6e6e97948c17f010c6a5c07fe155703497b4affbc41aa8c0b5d345e883f1711afd7cfff060083477d644437134f0db539b611661265

Download Submit
C:\WINDOWS\SysWOW64\NOISE.THA

Filesize
55KB

MD5
97a83bb5976f0630a432198c5bad9797

SHA1
1cf4cedcff1c220405e6db5ae27a8b419e600232

SHA256
7edb02e30238dc2d5d7e6e9ca78e3c74d476b145c212b7232784e9c99d1233aa

SHA512
5d4683ad730a97189c267385fb8ba7564b1971b7fcd4b01b563b2531e85a89860ae78de179959228ba96c7b25d61addc8083a3ca3a3bcfcc114b1556e9de6953

Download Submit
C:\WINDOWS\SysWOW64\PerfStringBackup.INI

Filesize
767KB

MD5
69b3ee81d383692ea7dc34a7221f3821

SHA1
fec34d3a29b38fcf14fd83fb0dd4f2b6b51211cd

SHA256
2bccd3e3fbf9f55c82feb487fdd5601d9c31f7a0b18f269d2b8b79882fcdd709

SHA512
bd5fdcea17e8ecf9b2bcd5ea050a8c904c2eda0fa48c696880f39a6aa4ef21e708717e5c76c049016cba88cd3715711d61eabd703102051c3a8a3f2854a1ee08

Download Submit
C:\WINDOWS\SysWOW64\concrt140.dll

Filesize
269KB

MD5
da2c3c2d1cc9a0814d1f27dc33bb7792

SHA1
6fd2125a82b5120d6952c7e60702775374fa6ee9

SHA256
077374a2cac843122cae546afae3805e7e6a9a11eab19c875d2bc3555b9acbba

SHA512
05c0f405627ab5d1d7d1978e97b6c05e7fbd2780903a325c4d137a8a5b051148fa0222d3765a4b69fe21643bff3a5830c72090d4327253528d14967ac79e8c31

Download Submit
C:\WINDOWS\SysWOW64\mapisvc.inf

Filesize
55KB

MD5
1761a3f68a3aa0eea2115ae41c760d18

SHA1
bbd27fc36d3a2e32e03a2709ba31e72e965c7f27

SHA256
aabc4ab0c920421307b1f09ef2abd56b95899bdd4b40d3bf307adb3401056235

SHA512
b6b09ea2e978f0995f77b5d2168e4dd1d9836dc89503240b8dff7e4914bbf7da49dcd6ea690a4ff813db18c946c69e528dc42d7a4fd85500b6ae764c80229a51

Download Submit
C:\WINDOWS\SysWOW64\mfc100deu.dll

Filesize
90KB

MD5
53436bb6ef8c26be1953b280f29aa2de

SHA1
feb271f2dac7c4b2d08bab4dbffd89c13006ea50

SHA256
3c26fab38744c487e7923c8b42f9e92b6ed1d04534072880f71960dfb41687fb

SHA512
b1544ebbfd6af43545e9d4beb8b8c56685657a8f38fc0fe01888a1e248e1551dad484233c7f92f7738daf632763c846be10b6a6590c0e8bc791acbde06243ee9

Download Submit
C:\WINDOWS\SysWOW64\mfc100esn.dll

Filesize
89KB

MD5
8b8808c118f4d477aa1110c537427401

SHA1
6dec66c573270a6ebd743f570ba24600f787397e

SHA256
569dbc1b12d13cee1194e53ae28b8aefce9e58d5fc9a75cc834925c82c6f196e

SHA512
ddb327b3d7ab1c44343bb52ef15441c630a0fdea61aa99d5694c4aa470c307276e78dc9b49cbd05f08d963beb1ceb4e2b52493d2ff7659e16b8c1e3cf249c4d5

Download Submit
C:\WINDOWS\SysWOW64\mfc100fra.dll

Filesize
90KB

MD5
463d00574298883ba4c243b7b4156cf5

SHA1
a0f292962761a1e7e29ca22d72f70435fcc874b1

SHA256
a3d09eb6405025bc4a435ff56e2e22072a2e8f830d455348bb2a56f8800034e3

SHA512
1102a70c65873ec63dc3773b5f0d459fddc5837017b5c7da646e790a9b3c20fd0da62970a2c02c5870626ddb8b1bb9a8041bc305589d3332b4f105479eea0c7d

Download Submit
C:\WINDOWS\SysWOW64\mfc100ita.dll

Filesize
116KB

MD5
2ebb1cc758efee423744bc8af424b13e

SHA1
274f9c2fd099bc425f753b4e3e905881d403a46f

SHA256
0f777f2762aabb4147809bbd103b81c0eb2730359e38249cf50b4542cdba79db

SHA512
d591b3ebd6fa143e836754021e7053d8b5d0fc625a476d732a1e56a76a0b90637f098cf8f8f93559fb71c92d9a017b6c055bace988521cf4eb723042f1b1d027

Download Submit
C:\WINDOWS\SysWOW64\mfc100jpn.dll

Filesize
98KB

MD5
08e8d95de2984d79a7e9becc77950b51

SHA1
0351685e539fac72926c842deeebb2db963cb7d7

SHA256
bd365039605be8d7509e4f41ba50ca9e5079289e8d8e254cd5a94c6f5583cc9f

SHA512
c339d27150d7a77d0eeac6be37feb28435beff59e005ddd1fb2fa6a0735cdd397fd4848eb5e2eeb4db2a6b38acf3d67bda87f351ac15a451f28185fbe11b019e

Download Submit
C:\WINDOWS\SysWOW64\mfc110fra.dll

Filesize
100KB

MD5
8f2100404dc98cb35abf62b6b4e6d64e

SHA1
69467595e479325104209b15b71a362cce032eba

SHA256
6091959748dadef6bac64e6b4dd8d1602853b7a4f1ccf4d0b07dbc01d274f28c

SHA512
19801d8fb8a6c917b2a6b2bc5544247803dd7197767a35107af7e4b416a92e990f540ec9dc3e81e6718f02c2c707b9adf1dffea65528568b1703e0df52311ebe

Download Submit
C:\WINDOWS\SysWOW64\mfc110ita.dll

Filesize
98KB

MD5
df5656da52444dc087bc722ddef2d887

SHA1
7746e17d778864994d5550fe4f24f2295a458a2e

SHA256
c1bb3c37527ddd912c82995b7a7b6b4c910a80fee0223ec4df8b8927adb356da

SHA512
2b1810fa88782b8f7bc8014bf56e6c8bfcd5bedfac1dc357c24db90ff701e7e2983915c206afac36e8ad22ccc1c45f86ea57c979e20ef44fd04af29a8e36a54a

Download Submit
C:\WINDOWS\SysWOW64\mfc110jpn.dll

Filesize
80KB

MD5
754befbfeab6768c4174b7344c603f63

SHA1
86a1c173b37a18d399d8a3501812f542c023422d

SHA256
7131fa8d4d4f2e387b35942db3c16c13d9dd0d0193fc5f8fd40443582c85d8c7

SHA512
e0510417207884a34f77f164666e117bc4c0a67a7e067ca1dd81d32891323a794a727096a2c5e9fcfed3388f46ed5173b53b4e82eabb34f51839213d8a3c3bad

Download Submit
C:\WINDOWS\SysWOW64\mfc120deu.dll

Filesize
100KB

MD5
458978d945be4c8b91e62751a0a6d3f0

SHA1
5fcbe8e8db2f25dd9f5b4defa55baf3929e90c3e

SHA256
44dab5b0bfcf666ab5c1e56808bf1351e0d17102f726f29c5072673403d0d78d

SHA512
12175e264c75400fe5f067a98febe9c3b59a05b4712d5f1db00886b84a914f23eb23ac8633af582ac2c2a9141085546f3b6c6e7dc8809614ec8d83dc9a1dc025

Download Submit
C:\WINDOWS\SysWOW64\mfc120enu.dll

Filesize
91KB

MD5
addf8f48828ecdfd8d5b0e48c4dd9060

SHA1
80b4497f7014a47a08f9661b01d38e841f53b1c8

SHA256
edd4d0c6b142fbefbe8ab926a53b5fec2bbf61dbb10102b92bb629f186004d94

SHA512
8d41d41d51a842301b105e5ca259d79e77205273dfe3c86636749b95122226e95f79fcb007bdba3e7a6255d0ef5ab39b0ec4c19d9eded206f6fa400f254c7603

Download Submit
C:\WINDOWS\SysWOW64\mfc120kor.dll

Filesize
79KB

MD5
5be1a40071e303a88986eb3f4c13bc16

SHA1
0c5713c55cda97264446c75cda8cbe213b3f0290

SHA256
1d6dd32af70b15d88b42a28debb5590d3cc163bc6e379518498857dc28e5734b

SHA512
2720d7dee89206bebc61ee9680c71674cb2d6efb03f13e6546ff9ca313459d9051b31cd60b0282771338c1d3085a40b7e43d20026d4958aa65b41c0255a2a052

Download Submit
C:\WINDOWS\SysWOW64\mfc140kor.dll

Filesize
73KB

MD5
2a82eae68bfb63434b8e641bc8278c89

SHA1
748dd288fd2781b71f0e037524b2949a7720b777

SHA256
1b76df4072c74632a0c20483630e4e061516a9d7492bf7f2d874d16643bdf7d8

SHA512
d3bf98d72dba1b751856f08ed36e2f8a9e94c751f717b4a50e1e5529d1b13dace0a5e74b38a91ef06c740f5c016712818fb811243fb46bc2b6c213ca6979e014

Download Submit
C:\WINDOWS\SysWOW64\mfc140rus.dll

Filesize
90KB

MD5
26fde6d7c62c383b6c55ee6d0d43950e

SHA1
fd1442e92027e4f2f7209836bb0538a9f0f7ac06

SHA256
0c42a7d182b42bfd0568976fae8d54996fe56f7cf9b32e72c95c017a3aa759b6

SHA512
d613bdd942154098ffe964764b3d819777bfb7622d0ca55d96653dc198c5253c4c1fa5a6bc3c2227923af576579df360586956634903de9605bef84a861f2f0e

Download Submit
C:\WINDOWS\SysWOW64\mfc140u.dll

Filesize
4.7MB

MD5
181865cfb13cf06f8b2cc52c0ce2c125

SHA1
86f6f021a24fda38ed3bf37574611f9c8af7e3bf

SHA256
9a36911c0eb2bfc5845c82df1f179d3ba80843371cfe01b68ecbeb0c2ecb90ab

SHA512
f10a41fa249be5e588a231e94749249d210e3ea248953a8192bada88cdb58ed857c86ce258651914f14cdd5c2eff564ea6e145efddb4ec6a4180659d18ba5af2

Download Submit
C:\WINDOWS\SysWOW64\mfcm100.dll

Filesize
107KB

MD5
69e2bc355d453aab130abbb49da42ace

SHA1
a545c9cc493e1aabf8251c6e3274100ac975c0a8

SHA256
304cfd9aa325615ef26e23e949d9a0d9de1b7614355c485531de71c272622688

SHA512
e1225ab1a3c4330d44e2941d22044db2fdb5da27ede53d46a263666fd5f1e40867c2aab59205e6d6f455d386549c0e89462fd7e954dc6dc0409d29607254abd9

Download Submit
C:\WINDOWS\SysWOW64\mfcm100u.dll

Filesize
107KB

MD5
192925b41b14e49763957be287a1293d

SHA1
cd8d2770b8a2e85414dbec4fa2ef982012fd28e1

SHA256
8820460a774abcd2b0b74cf7a0ecc90887a8f939f5c1c6b5c4ed913033680825

SHA512
b716d9b0a2e3d4c666802be42abff03bc6bc123aaf0f4ca50b90d94c9bc3afd51cb0209d7ee8febb584e88423a846e59b77dc1afb2401dc507dc9e6cde9bfd69

Download Submit
C:\WINDOWS\SysWOW64\mfcm110.dll

Filesize
108KB

MD5
774c4aaa9f1890891b723db778789b5f

SHA1
fc3b9cb55b44221bdea244c5f605443fda176caf

SHA256
2888081ff2155e0e66712b2ff5491f866af19aef3a4de6d9ee22d205f93c42de

SHA512
0a36246a5d4a35ba1084807ae6c21be196a4d1ee39c385681c3bbe6f92a2b38e7d05eaaa546865303f77bb067ede814c3e4adc3f43e946b73cb9e954f06b2371

Download Submit
C:\WINDOWS\SysWOW64\mfcm110u.dll

Filesize
108KB

MD5
e4400d7fc6a8b5837003b64cb3471fef

SHA1
c7a195c08cc3fda8d39eaf793b9fe418f597520a

SHA256
eac361aa8ecd0ef09d48630bb9d5c48c38e6c7ccf51a84d1fd6c2fbef64fab96

SHA512
e899f68957d35f01eccdf6ab0dda5d92cfc2eca70a3130ad15c3b2c5adb36654c0fa1be36b780e791046048c4c280c457cd5aec4a98cf064932a1eab8c5dadfa

Download Submit
C:\WINDOWS\SysWOW64\mfcm120.dll

Filesize
108KB

MD5
7b122e4b6e435b6976a441459863409c

SHA1
1da11d9d1b1099cd93ae72b80ecbbbde6e5203d3

SHA256
fde41d8b36749f3518477279de45280f81c2fac6865af550f58c2fcf0a1ecbe0

SHA512
c00199a584f24743d464ec053c1c142fe08a2fcd1e0d12f956c541f476505fd475026099506968824bb469a5f030bd9842bfcfb83dca4bf4a86b1cd33502dc4b

Download Submit
C:\WINDOWS\SysWOW64\mfcm120u.dll

Filesize
108KB

MD5
017ef2cc708d42c4170b2d480efab75a

SHA1
d24a48568d2018c3f3ca3d92a154243d09fb5150

SHA256
f0f0070db917f5236186e53347a69e6cd8e226d1da09dad82392ae5de7f429ca

SHA512
970d0a9f85b1f1b8234acdd484e84cc24fe50403585a375ab453c478b10e8c8705a3364e7779ce9b69adabd480a1aa51f7d63bcdc5b5907e15e1ac710ff7477e

Download Submit
C:\WINDOWS\SysWOW64\mfcm140.dll

Filesize
100KB

MD5
b8ac3492d78ace50626c13b34ad98580

SHA1
3cfc6c466e08736d2d0bf7098ac710bdb862ff80

SHA256
b7a0c7b02846698e8e538c2384d87ee5eb3fb172c07cf804e6d04f9203e7d302

SHA512
1184e2a0f9711079beaad3423018305261d109e5fb56eaae716c4b4c61afeb7e1ec7d0a7f8eec03b02005919b65684b71cc01f0cb0d24b7603471332009907c1

Download Submit
C:\WINDOWS\SysWOW64\mfcm140u.dll

Filesize
100KB

MD5
76fbaddc99ed55a61f4c3c3101a2178a

SHA1
33f3dcc4e4e8115502c019cfe21fa65a188febdb

SHA256
f8297a533f6edb77d17a58d2e8242c521c717578fe9b4a64299d276bc96bfea7

SHA512
e601d91e5206dc588209a03d9352fbe0bbeadbaf425ce0ec2994c1978d676cae4a091e66298bc4a901d50499f9643d415d9b8c364887dfa2be07cf54aaba486b

Download Submit
C:\WINDOWS\SysWOW64\noise.kor

Filesize
29KB

MD5
58bdf3b052397ae5425dd73245f73197

SHA1
b852a4c7b71519d933d7aea63b2d0e8428431e27

SHA256
341e44bb7fa4d691cec17d7b9c1b312d715061b1f40c33f7016afa20f44c2c8e

SHA512
7b6a7a2093c3b9f88627069ae9f294243b6cb01df1108e81a8a7a48a4f4c8f654270b5e2416df26e7d2af0d0d10a49264923f2e8d8a1dee6e88a455404557f58

Download Submit
C:\WINDOWS\SysWOW64\vccorlib140.dll

Filesize
291KB

MD5
00f26d72bea82a60b256d29e55020972

SHA1
73fa7f559db697f3763f2eba16eb5f1853ff3a72

SHA256
43132dab625dfc68d89888be77f14082431fb1d8f40e02302019a6dc81d73a43

SHA512
91aa00b73040fd4c5f57be205cc833919d9feb447c25a4c2ab5d0ab139b1c6181ef6732efdf36b6e27adc0888218658b8ef5fddd3fa7d93c76ad614883d28c18

Download Submit
C:\WINDOWS\SysWOW64\vcomp100.dll

Filesize
77KB

MD5
f08ac1a620d76dd560705fc57b8549c0

SHA1
8b2bfae766ec8eee5ae6a8360a07bf2ea5f50ce5

SHA256
3644ddfce04ed8b32d460cab1e6019cef1941212dd75e1e4e1c74cf3e98a39bc

SHA512
dcbdc7d0c9a20e82ffd674285f39724f3e8f74c570270e1fe570130c84f1a16c80e8f0f5b88626688573cc75dbb71496c5fc81b5bbb74703aa640623f59eb3b0

Download Submit
C:\WINDOWS\SysWOW64\vcomp110.dll

Filesize
150KB

MD5
ade79f91af86a831c4f5a0ad958be7c4

SHA1
8ac0d397c8b089631da83dcac33f76331e8bc8ac

SHA256
a91441e4220072ed731d7f76761cb58916f488ce119c162ed7c9a59e9c186c09

SHA512
0696107be59801a23e9dd33a19272feeb4063520267603c8e70e836e0894b9e388134a8446e5e367dd62cde4bb7c9dac291d4f30712eba7f1eb4c2561d9ba3b9

Download Submit
C:\WINDOWS\SysWOW64\vcomp120.dll

Filesize
172KB

MD5
217bbf9a0a7b25d1ca9c94cc201d7eb2

SHA1
d2b4d4f76583aa4934a575c9214fd3e16d025c54

SHA256
26f59a7e49e2970c468dd3900fb6316eb65c4581b1e8d647ded8fdd3fd758b32

SHA512
bf0ead1020a7df443d4f63cbd095f9529175a6d4628b68d4f48cf48239d948f8f57bd3c27a4e95007ce3e0a8a21662d54eadf960e489a7ff5a4d220a294b3f2d

Download Submit
C:\WINDOWS\SysWOW64\vcomp140.dll

Filesize
202KB

MD5
515a7988734f57887681194351ff7908

SHA1
8bd7d6de8231b8b70cb0820f3f64e3b56d7ad2b9

SHA256
3e297a5f60d00f8737748a8f0b4b6371bd90449d8b86386eb88c549a342b5202

SHA512
45f3103eb609b68c0e7fdf1abb8b78e52326cb1f51f9c1c08245bd55ff2fd6b32a8d0000dbbe32332029a56d988f474f9cdf7c28adadbaadf6c8a9feb146b04d

Download Submit
C:\WINDOWS\SysWOW64\vcruntime140.dll

Filesize
103KB

MD5
38732fbf4e75f3b277f38934f9f139b2

SHA1
9d4c14df6d836156e0b65208dc128bdde76e6783

SHA256
23b1215533e37d8eae713a4492d4c03a9cd36dbf044bc79225e2f833dba32cbf

SHA512
636c1ff3b87b12f6658c45ea63b695ab313072f3232b216de2d785d1e04da9ddb3f65f58bb8154674c6082493a26d6a9392703cf482707840de4edbb5bedbfe1

Download Submit
C:\WINDOWS\TSSysprep.log

Filesize
111KB

MD5
999239fe87efa962358b3e4d1785f581

SHA1
55f5e2b17960fc8599328e76059352e5cd40998c

SHA256
de3cd4af3d7aca2b77b1e3f6cae3e1393d8c4daa74e757e9ae4ebce32fa8154f

SHA512
2284fd646be03b5b1b89025f2d7973ad5f421f2fdaa8d4cd7561cc38f689b851917a94294adf8a5743640515072ed89bec6066e7fc84ba69d87274b14c5e7353

Download Submit
C:\WINDOWS\TSSysprep.log

Filesize
56KB

MD5
1abb34e7ff7b7774ef80b58c7b0b4140

SHA1
1a9573f6b74e37c94528e4b1f0abe9b79092cc61

SHA256
a81d5efb16fdf04ff5d6f9e22893d73e7ad1014549b359fd7ad413de97073624

SHA512
3bade8987461fef20b351c0eba851e36723eca835ac497ea580d6d79f2adce656e48a1e0660f1c1c7e776b498963b2ce050300a0a1d4d3c0c4fc2788e15d5a68

Download Submit
C:\WINDOWS\Ultimate.xml

Filesize
161KB

MD5
1ce65f367483f03aaeb147d99b1f1790

SHA1
e044fadcaa1a5bf77a121a6d63f9b83bb27e313e

SHA256
8c44ca97994b7970e7bebbcd0e9cecbc7d73647bf1fb02bc4cee9e98450af378

SHA512
a3bd48d398979fdbf52c637a49ded6b1872b5cb343be5f84b31858d5a59a0729a8b081c280a832a688e7c13eb56f859550ec97d2fc1900817c25bd6201e31f9e

Download Submit
C:\WINDOWS\Ultimate.xml

Filesize
105KB

MD5
082be53cc1c527c4f0f2db1deb7032dc

SHA1
42cc62535447053f5cd15565d35c1a621ac78f70

SHA256
f62a31cdf594f16107235d0bf4be7211437533a8d1d4a7d83c7e7c632026d24d

SHA512
b56ee2c8b6753f65c0ba188e1429844cde477c732501c8e7cd897ffea6673e96107ca97426852ce82caceb763a2af1fe7bd5b0d947de924258c55dab6e3f82d0

Download Submit
C:\WINDOWS\WindowsUpdate.log

Filesize
71KB

MD5
60b0b4d400cb943cd8495b87bd6e88d5

SHA1
0e064e92bcdd83b21a7f90262673b379130f74c9

SHA256
c2560cc07137695e1744971f4a32afb9798fa26a4db8f5a39d0687cdbd62d1fc

SHA512
24ab121b4d42a2ef849d4cfb77c98510925de44e04fc80e79a3e21396cb11613c74274d7d63b606b5353e8d856207b420a3c736779e845b9798eddbbd1bf6aee

Download Submit
C:\WINDOWS\msdfmap.ini

Filesize
56KB

MD5
c015f59dd9fbaa9d33761b3f0cce600b

SHA1
d8fdc0641ac742b8ec6a1e73ae2d1f3b80a28488

SHA256
5ca15997c5a81f4100fdb93257f91cee13081794339eefee0340d6ac3b8f3c38

SHA512
12a7daaecd2bebb796f0949741f24a402314ccbcfb6fb9e0b19c280f999805040023e9ed81d60db79153bafc1400594313f033a5dccb86aa118335eb874d7f77

Download Submit
C:\WINDOWS\msdfmap.ini

Filesize
111KB

MD5
c61fc06c3d7a643e450d5de4ae4b1e9c

SHA1
87a147b00a145654a3d48905345332f5257912d3

SHA256
e5249ee9de45248e5d4b1329101a4265889bbde68f0c6135459bb3b5ce4f5a97

SHA512
aa62e960324ca5ad39ee93622b451f6467afc3709deebdb78b34a60819f2ac772682bad4d1f3a4cfd792da3651cd8015d176b451eb402f0d7537da677562ef31

Download Submit
C:\WINDOWS\setupact.log

Filesize
76KB

MD5
d6872d2addd452af09264e9cacfe20eb

SHA1
5805a92aae9883c5bb0e87975ef88eff6a8a413d

SHA256
08836ab26ce6ddb43300d80bd7d8867e7301131b5f33d8bfed0e807a7179391f

SHA512
a8e2b0814b6895a9636dcba6c98e2b1deea139fbf9fd25ed8c960c6b73c2fafe992ce7372771347b383105d7717d52374cecb3e523b072cdf834b7502696aca4

Download Submit
C:\WINDOWS\setupact.log

Filesize
132KB

MD5
c1514bc0be0114940b4b09d5105d8a2b

SHA1
167fca708b151ae11bf055cd00bfec27cbd20987

SHA256
eeb20dd8b1b726c27c7e5b9f627de7c6d71e4a834219ade427ebb5b043e698b4

SHA512
1460c30eb25eda610006721256b1b4d0e1a4bcf91eb310b2771f7973f80ebd67d0b585c18124d1080763a9c593f6009f7ec94e2ef260184740dd8eaee62721fb

Download Submit
C:\WINDOWS\setuperr.log

Filesize
55KB

MD5
ed630096c44745f3944c357902eed14d

SHA1
a803a9a3b82de9e952d3526cc65c34bfb460934d

SHA256
379ce47c80167160f3ad01b439f007473efbca64ee4b86297a1e5c4123f2b8a2

SHA512
17e1ed4579b729b72a3119ef7fff868c084a0e3c1a496c2cfb5fc4b1d81883868c23d9bf00c9da8ade6fb13585ad22b3f7e5bc65d8f6df93f57dc393f7416f8f

Download Submit
C:\WINDOWS\setuperr.log

Filesize
110KB

MD5
9e1548191367a5782f96e081b2c7f2b9

SHA1
fa2f06dc0a2e682b42c829fbc928b90630c56e2f

SHA256
f288ae64f02c5245479f54977bed92f30799ab6b0b5d90dd78e9dcabd554bd1b

SHA512
9cf92f5b8d5f4a6de5d2d1169f96b1d424fecbbc174e1f1da19d69b0a24ecc0ba34137e8227e16667c1d662518c673f9253325be8ee0aba3a110116b11eda71b

Download Submit
C:\WINDOWS\system.ini

Filesize
110KB

MD5
3f77a2b14341d4662db30516402fa160

SHA1
e00766f81afe6479a4f37dcc6688e256e1a0ab0d

SHA256
93ffd703e42424e785ff62a7305c6a9ff6762e19c925b78ccd47c9378515a219

SHA512
e3a3071599d0cbaa7bed03e65ad7668179e7c448fb9f3e4210b395b40ccbedfaeb32647b69915579161d8206b91a9270f7bf9904f66e7b1bf7053952c240a9ee

Download Submit
C:\WINDOWS\system.ini

Filesize
55KB

MD5
ea9dbda8a9fc0c0fe074f3a23bd1bebd

SHA1
1d233685d5d4d89272ab2988ec65612af8d23a1d

SHA256
46463b4397a986e8fe6a8d1d2c39310a26b2a4fd321a9deb363553e0963d5bf4

SHA512
588707710a7562b35f47ae9d50a409181900858b8d32582ffffe8f7c6ff34da496f8c4b4db854aebc6b71df63d0c447695e90cbc1bcf4e8cf17f536ee16d4c61

Download Submit
C:\WINDOWS\win.ini

Filesize
55KB

MD5
c81b335dadd0bf5a73cb8041da7bfe32

SHA1
2ec9fd1cdf54df7dbbbe1ff9e745046016399870

SHA256
a24114ddddef8907ee21e1d33723d65b368497d275120f9cebb2c46b3a928206

SHA512
c896e1d2d78a1fdc9acc71ebb84ddc62aaf96ef8fcdead0818bf0379d743220afa7a2aac706ed2e1dd1aeaa9963bbcfb7ab7d6ae63f9a9d87e24de0f65111938

Download Submit
C:\Windows\setuperr.log

Filesize
27KB

MD5
dc931c7731cf24d59f2844da4dc0b428

SHA1
2e3554b592f25da2e0914aefd40294ac2e1fe099

SHA256
13491f7c0ccee5cec4a315426c124391f8a9edf912468f5273a0c35073bc8ee4

SHA512
86af05b73531ae24ef377e3c51b2b7b0a13f4dd2018bdfa452532c2c50584b4f62453e88f0f91d8e08ffe1703582102c97dd6dc08bd6e6aa68a69b949e0cee0b

Download Submit
C:\exc.exe

Filesize
359KB

MD5
ead89382e162e16066ddb636e25a8852

SHA1
ac9eff0f263790530f470cbb11ba70af550f4273

SHA256
948a38ec90673e01edd1d9daaea56c86df47abf0c11a805680675e1d72f536f8

SHA512
cfc0b01e155fd87d13b1a6b62ee98a55c48123dde984f6b70824f5bafebd724e38f2c14cea7046fa7f05948ead486dcc64e4c39ef88feaa2843b14e4e8f042a8

Download Submit
memory/2028-604-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-1-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-312-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-2428-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-3551-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2028-3071-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2400-313-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2400-2429-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2400-10-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2400-3072-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2400-4785-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download