7036f196a147bd79fedbf677da6fda73217835e68665047ea8d4614fecf76c71

Analysis

max time kernel
141s
max time network
135s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe
Size

148KB
MD5

a9be7ce20097e868436b5929ca3a0b0f
SHA1

acdc9d45e7228c8653d6bc11da6a9b62330bd112
SHA256

7036f196a147bd79fedbf677da6fda73217835e68665047ea8d4614fecf76c71
SHA512

26ccdf66b314ea005d57413b57106d5435b50d79b264066bc062b162218f4183c6acbcc4182c4ec0d15b5455d3785737590ee7ff06cb533be407ce7bd04b822d
SSDEEP

3072:QTInoF0+6Fkg9fErUgcnb3D9N7Tpc1w9YKoNljo:QTInx+OV9srUg47pO3E

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1716	Lqglgw.exe
1060	Lqglgw.exe

Loads dropped DLL 3 IoCs

pid	Process
2116	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe
2116	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe
1716	Lqglgw.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\Lqglgw = "C:\\Users\\Admin\\AppData\\Roaming\\Lqglgw.exe"	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2960 set thread context of 2116	2960	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	30
PID 1716 set thread context of 1060	1716	Lqglgw.exe	32

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqglgw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lqglgw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430206696"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BFA068D1-5DEA-11EF-AB2E-FEF21B3B37D6} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2116	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	Lqglgw.exe
Token: SeDebugPrivilege	2740	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2832	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2832	IEXPLORE.EXE
2832	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2116	2960	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2116	2960	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2116	2960	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2116	2960	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2116	2960	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2116	2960	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2116	2960	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2116	2960	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	30
PID 2960 wrote to memory of 2116	2960	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	30
PID 2116 wrote to memory of 1716	2116	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	31
PID 2116 wrote to memory of 1716	2116	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	31
PID 2116 wrote to memory of 1716	2116	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	31
PID 2116 wrote to memory of 1716	2116	a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe	31
PID 1716 wrote to memory of 1060	1716	Lqglgw.exe	32
PID 1716 wrote to memory of 1060	1716	Lqglgw.exe	32
PID 1716 wrote to memory of 1060	1716	Lqglgw.exe	32
PID 1716 wrote to memory of 1060	1716	Lqglgw.exe	32
PID 1716 wrote to memory of 1060	1716	Lqglgw.exe	32
PID 1716 wrote to memory of 1060	1716	Lqglgw.exe	32
PID 1716 wrote to memory of 1060	1716	Lqglgw.exe	32
PID 1716 wrote to memory of 1060	1716	Lqglgw.exe	32
PID 1716 wrote to memory of 1060	1716	Lqglgw.exe	32
PID 1060 wrote to memory of 2808	1060	Lqglgw.exe	33
PID 1060 wrote to memory of 2808	1060	Lqglgw.exe	33
PID 1060 wrote to memory of 2808	1060	Lqglgw.exe	33
PID 1060 wrote to memory of 2808	1060	Lqglgw.exe	33
PID 2808 wrote to memory of 2832	2808	iexplore.exe	34
PID 2808 wrote to memory of 2832	2808	iexplore.exe	34
PID 2808 wrote to memory of 2832	2808	iexplore.exe	34
PID 2808 wrote to memory of 2832	2808	iexplore.exe	34
PID 2832 wrote to memory of 2740	2832	IEXPLORE.EXE	35
PID 2832 wrote to memory of 2740	2832	IEXPLORE.EXE	35
PID 2832 wrote to memory of 2740	2832	IEXPLORE.EXE	35
PID 2832 wrote to memory of 2740	2832	IEXPLORE.EXE	35
PID 1060 wrote to memory of 2740	1060	Lqglgw.exe	35
PID 1060 wrote to memory of 2740	1060	Lqglgw.exe	35

C:\Users\Admin\AppData\Local\Temp\a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\a9be7ce20097e868436b5929ca3a0b0f_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Roaming\Lqglgw.exe
    "C:\Users\Admin\AppData\Roaming\Lqglgw.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Users\Admin\AppData\Roaming\Lqglgw.exe
      C:\Users\Admin\AppData\Roaming\Lqglgw.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1060
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2832 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67e5dcf73b49b8ddfb9430b6a0885f58

SHA1
7ee011c845dae7dca54157b46765e5e4beef9056

SHA256
23412447ce8f026e31095b12d3b5187dbf39d87d608527ee38257c11ec809987

SHA512
65c10aa9276b1b51e4d7e0f6ab71d8b33d11bf897a2da3d2a9f717d72613b72dada330062f88353a8eee45bfc39569a6c8ff4c4bdfe5a5b3f48ac003f80d4af9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b92c6ee744e6d2c50f524c942a477e6d

SHA1
863b4f1f103c14808a74bf1f2553bbe10ff592dd

SHA256
9c51eb5e380332036e11061485172c26b557a3b8c42760b059287aef7a02c7df

SHA512
44d602e223c18659c816b55a63879efc045a63d7200251e4542dad3531b85c4f69b1983173844f2e82b4c2799b1977bc44fafb7e93487b9b9b31ac11b1f10350

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed48bf3056844b9a24d3dfb2983433a4

SHA1
89f636450a8805a3736abe5b3fc0525f789ed1b2

SHA256
d4acddfa7e5e7a5f44a789b7f50ffbe28fc49890264dab5899afff0a8e404a13

SHA512
0668ea62229bea94e22fedd9c1dd23ec07d803bf976f9c6376bb3440ec0a7a13f9e2766c22fb25af81550bdfbd60c18a8ced8ec892fbf06e7991ad5bd391d2bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cb4b7852ff857c42aa3967f50ae4739

SHA1
a8d3a937ae243caa00ef857b43ac5c44710b8763

SHA256
310a0c46c927829a8753e862d56142960c57c9a40bbec13f70a15b70dd985dd9

SHA512
16dfb22aeb120d38619fca2771896ea8dc419c6582d4ceef1c144da5eb4febc3d9067a2e76e58979b60af8f3009d46529079be0fac04a2602143eec0dff8e2a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1620e3c82c7e86e55847f5037f19690e

SHA1
330a20a7166e0463faf78fd274af12d107da4a7b

SHA256
2bcf6d6da0153c4001f4022d80fcef053e18b6ac9a2c9327d65d1b9fbcf86df7

SHA512
b0053b28fd4935c979a6b707b3cd90d87456a054de1238c3de28d926dbfaf18dbf651136b90ba88df95dd180e2faf565ffb4776d4048818039ba1c53ec7d703b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
418b96b7f96ab6fe935baeed56c09536

SHA1
b6829e351787b0e09d8251c0eada3e0485f3e09b

SHA256
4b8608db89f5600ba3f9f473d5a78cd05c267d4f951cd7736025e9af7fc7fb5b

SHA512
fb36c286ca87de38180a6486fc4bc41d3b781f70c131a3d418c13d4a6b42c423312f2114239386258d25ee950e044e4055cf6bb5e3c74255127c5134b58a2f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7aa13bbf16160c956f28a35ec4a1939f

SHA1
8c224c2dabba1b23812db979af0e49ac09f03445

SHA256
07907436fb4b0dcaca1a3217219f5445480b3f1c7c4c899cdc42274c8324be06

SHA512
1be00b6fecd58f39840343faf4795e5060c237379344ae2c5aae580c92bd6c04e9fcf71efb7d92f2ee17e727f5a51a10e54751926394c8376220cfa988234ab8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67923f5c2a8e24c923e9d8d66a8f3f7a

SHA1
e53968337022faa66e49cf3a00f0e077f0fe3f04

SHA256
e58ee55ef437e569c43970d257f709c9abb3e095970104010e22fc30cbc0fe14

SHA512
2980ca8714b959fb18dcc7d1bc86ffc18e219176e2f51ad37afa13b9f0138e69a8eadde54150cd3d00b395a75e21befa67fb59982f6e1e84368fbbdcb74d89d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f9bdbd55fddd9b22a43809d5d26d1e9

SHA1
d49ff1bd40d4d1f2b70e39303dd0e5d08d6881d7

SHA256
a00296c4d72ea9e0919787312688704365119b9c639f31d2f029e8c70ce6fd3c

SHA512
29e68536a8a2487f3e7424504c24b4bd33ac364af9ad8cd4bb8c1ea4f9551ea3e75891d0f8a526a8f5c1ff8f125574c09627c80cb39cfad53e3ab823ddbc4972

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a929f54780161c1be33d7a03c88f087a

SHA1
e611d8458c7fb938461dba48bd3d854599df4096

SHA256
613e47d565e7fb353e3dd33ba83d29479c6a6265ad2f5b5672cdc7409031d6f3

SHA512
af430650de9b48baa3ccc404134eb8d771767acce773d647340b6a371621c32642a802aba20dcd8194579c357e92a7e3230bbda23150bcf9c7e39ad8031abcd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ada6d6efc579aeea384b95d4eec43fe5

SHA1
d2d361daf9fa941710f1cebb9a78152fe3849aef

SHA256
6b5f81b0ed69962da6b91b57de1ee729c14c9b6344c9c1f7b74b9a7a98db61d9

SHA512
e4842b3a4e320755edfa4096d50e24b20f7b74ce6334571148eec4d6864cefc82165b02aab230c6cfd67db232b4a861a8bccb1c475e1cab29e0f77d2b283aa59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1af978268a13e770149c3075f1ce5942

SHA1
9ccf85faf718c0edc801a81ed0734356fc4bc4dd

SHA256
96479be8d7e1ad0316936949b3a78ac26118b0680888a27e733678ce583649fc

SHA512
bf57b8c1c4519d138248a816647b714c16b9036f774fc2d2bf8321ff0cf8424505df3bc0fe53e021d002b9766dad29a52b902a9564fba4eff9b4eddb483c4237

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
972b0560957a1b157e94280dea58ede6

SHA1
6549b4f29e91c7a98219675a9b683462d37384de

SHA256
9b6d93ab8d26ad92fed9f98b8492bb581282afe9f42e08626ba0863a6acd0908

SHA512
108694a477d95765fdef5213ca51a3dc0429029aef043a4e44d1ffe75ea121e8bbcc1b30ab5a14e601da1c756e82e9954568a5c059defa92196798c0c9019a65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e092e69d37c30c788bbbec13605e3a7

SHA1
44d477a8d5ce57280acc81773153175d592b0e7e

SHA256
0fcf0790891ff5928ff50edf2aca8a7f30470a28d79a108522a04a7bceae99f7

SHA512
5777b1c3296ca34c979efb52262a965b486d192d530141442df63e1a7555483ea1c749a35e684d749f9ad02d5fd95f4544cdefe62dd3b9e22a2a897821fa8b55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6fa311851f36e872b99da0d56cf5afe

SHA1
86f40cb5af9b4461a807222232f95188fb7ac23e

SHA256
6e1003a68076be025efeaee73f7813afd3ac8282f0e16f746164a0e7b37a3005

SHA512
1d5dc7611a3d392ff280566ee607c44b4ee9d7c82b96585f6ca4bb4630c596992156529628944c9060f4cf866c00a4c5a48be7d7b80df42a3b7c10b961b5b956

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
077dd7368c89503b1b25e55d7912391b

SHA1
228a96e08105f9ddef24ff89f101154918c77989

SHA256
072bd8ecac32a217ee20134467b0eded9d1ad7895335804d996591e5942c1c39

SHA512
7aebc28f7246aade70012a6c71a0be108e6a7a882bc72f59f93f26e993f721e68b4298d8cb4986a53164ae2b0dd2f1e34396bf84383dc062609e10aab91d83e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2ff96bb95af0f0a7d9a288cb388a852

SHA1
aa36367605a80397d058e1db104f549687dff8df

SHA256
f010b7293a3785c3d8c7c5dbe77af58033c7cb29484cddcdb1133e5b2bd68aa9

SHA512
086c6c98358e0bd74b9cd3cadc6c965e94ef870fcda3945dfa27480080cb89c4711cf71cc79a26db0aab710252d56c1b32f7f79ad44761a0d595e8a1814bad11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
507ac56d7f8cfaae263e790b307001bc

SHA1
b330a4d55376ec1b57980b5073c13313faa6e9d5

SHA256
2b85487c972e31c87330457de11b4b9677a849a162e4a7ba0026d42232f1a4c6

SHA512
d83413e24e633f47a22a038cbb6d218f9a977d85dd18475210eb62ccf01882153ef8f9cf3f04006bda7f44b6ed16e95fd7982c4342a5f7691fc292bce1740565

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3588c100a73a636c36621d54d75e2f30

SHA1
db73e10ab85ebc70977e9ab9734d671ae97b675d

SHA256
3a617dc18705a95ada468ff3ace3e579a5c87b5ea013c5eb74a1ecdffc30d7d1

SHA512
ae3df23e145dac904870755fc23554c6a9c884ea684636f665b7a0e9fc29ae00126dec40efda50f7750e7c5b0db8788fa741eecc3fc43eecdadb5676e471cbaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD827.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD8D8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\Lqglgw.exe

Filesize
148KB

MD5
a9be7ce20097e868436b5929ca3a0b0f

SHA1
acdc9d45e7228c8653d6bc11da6a9b62330bd112

SHA256
7036f196a147bd79fedbf677da6fda73217835e68665047ea8d4614fecf76c71

SHA512
26ccdf66b314ea005d57413b57106d5435b50d79b264066bc062b162218f4183c6acbcc4182c4ec0d15b5455d3785737590ee7ff06cb533be407ce7bd04b822d

Download Submit
memory/1060-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1060-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1716-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2116-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2116-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2116-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2116-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2960-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2960-4-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download