fbab092e7f035874aa98fae6aa3441573425672f22fd8d6e3cfb524fc69322f3

Analysis

max time kernel
134s
max time network
127s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24-08-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Size

95KB
MD5

bf5e595d5d73e8d2cf28dd4a2c835aab
SHA1

ce020548152a7838bde8454bc912b1be02265995
SHA256

fbab092e7f035874aa98fae6aa3441573425672f22fd8d6e3cfb524fc69322f3
SHA512

6025386318c0e4a8ba086c72e6b64ac257f3cf84e793583ae640f14b6e4b877d3539edc1d81b2b66aa4708ba913bc0a21e32fe4395f58ed6c5741e7a71e31176
SSDEEP

1536:EpgpHzb9dZVX9fHMvG0D3XJYwXqf2gUBglcADKd56zAmxFGlbJUcFJVKMgOG9M:ygXdZt9P6D3XJzqOgkjADKd5H+FkFJn1

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1964	installstat.exe

Loads dropped DLL 4 IoCs

pid	Process
2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
1964	installstat.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\EditPlus\kk48.icw	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000d4188ae5fd05c3c22ad873f001a3dc8b713f61eba8fe8838415107d2f07a8b39000000000e80000000020000200000006dc9ecf05c84d659f9ced8557a05e6de60d52575132c926d6b6848a581a9a96e2000000089623b9c63041cd387886c93ed47177f365b8bdd2700c167378b91af233af4e640000000743745585f11f4222e2a51bbc97ccff8e7685ead2c87a17db73ce3983ee03d8f5ca3058237f3c1cb827fbd82c4fcada87f4ede368e73c278b5a392d54696d3b2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d052466766f6da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000c40aad05a0da60f9c662b681a3cc47892800e5b1911762ea1ea2bd63990127cb000000000e80000000020000200000007c3ad98bfb14663ec5584b888e0af0db10d6f938f79cf8fcdad4154e07f4c5ab9000000002cb327e286df118d919c0a4fa56b9cb7754cf4e0baeb6798c948cff5de8e4a12ec58cabeb81ae0a69d92cd4db32bf2a92c0e712f8de7e8901da2088ba7ebc806f40b2d9a1551c2dc0c824afbc1674f0c962cbf8ed373a6718a8658cb8893ab8dd5a54eada1c2c4db6153bbe37753010a0ac7787d6a1da2892c7bd069456f46cf45ec6b294035f49f14eca80169841b240000000cb47d275836d6905461cad496b529fed11f216674e8bd7e107de6ced1780bd6e469cacb0636bceed8b6a7f723f8750d2b45bf9fe75a44b0c023ebaf2ddee1df0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430694095"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8FD04851-6259-11EF-A4F3-F6314D1D8E10} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\Shell\Open	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\Shell\Open\ = "´ò¿ª(&O)"	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\Shell\Open\Command	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\Shell\Open\Command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.icw	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.icw\ = "icwfile"	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\ScriptEngine	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\icwfile	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\ScriptEngine\ = "VBScript"	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\icwfile\Shell	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
Token: SeBackupPrivilege	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
268	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
268	iexplore.exe
268	iexplore.exe
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 3060	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	30
PID 2296 wrote to memory of 3060	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	30
PID 2296 wrote to memory of 3060	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	30
PID 2296 wrote to memory of 3060	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	30
PID 2296 wrote to memory of 3060	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	30
PID 2296 wrote to memory of 3060	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	30
PID 2296 wrote to memory of 3060	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	30
PID 3060 wrote to memory of 2812	3060	cscript.exe	32
PID 3060 wrote to memory of 2812	3060	cscript.exe	32
PID 3060 wrote to memory of 2812	3060	cscript.exe	32
PID 3060 wrote to memory of 2812	3060	cscript.exe	32
PID 3060 wrote to memory of 2812	3060	cscript.exe	32
PID 3060 wrote to memory of 2812	3060	cscript.exe	32
PID 3060 wrote to memory of 2812	3060	cscript.exe	32
PID 2296 wrote to memory of 1964	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	34
PID 2296 wrote to memory of 1964	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	34
PID 2296 wrote to memory of 1964	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	34
PID 2296 wrote to memory of 1964	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	34
PID 2296 wrote to memory of 1964	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	34
PID 2296 wrote to memory of 1964	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	34
PID 2296 wrote to memory of 1964	2296	bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe	34
PID 268 wrote to memory of 3040	268	iexplore.exe	35
PID 268 wrote to memory of 3040	268	iexplore.exe	35
PID 268 wrote to memory of 3040	268	iexplore.exe	35
PID 268 wrote to memory of 3040	268	iexplore.exe	35
PID 268 wrote to memory of 3040	268	iexplore.exe	35
PID 268 wrote to memory of 3040	268	iexplore.exe	35
PID 268 wrote to memory of 3040	268	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf5e595d5d73e8d2cf28dd4a2c835aab_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\system32\cscript.exe" "C:\Program Files (x86)\EditPlus\kk48.icw"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWow64\WScript.exe
    "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk48.icw"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1964

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:268
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:268 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EditPlus\kk48.icw

Filesize
132B

MD5
f7b4617c843557c057c096fb5aefb221

SHA1
45e9dbce9f2580c958a02625516b4a444404bcf1

SHA256
a16b27f678c3cbf6f7fe219ff35c54b6e8fc8c37ccc34d3df180f70bedad54fb

SHA512
a8f842c2178bc1794f6a23e59164363ce3267c1adee594c8c56376847dab51a91cdec8b4a6e9f72f2433def1d886a6fccf5cf6dcbb939b4e105d414305dd2cc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99787c6fdf67b7456c00ba1f16439242

SHA1
6b0bb2f3a51b816ec9173c6a2b5424e4bb0049a6

SHA256
70525b8126b7616e003c4e81c824908ebc9c3d52354a574e4d7da2eeec3d47c1

SHA512
3fcdba593e2b09e2b128d518291287adc2e8ef367e1984ef47f433dd38f21b73f0b15084a2cce6cc6230f7536f13cc8b89b0f0ab4f5bf2f6d026cf8d66bd4b2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c894e72040a3aa6bda841a9c5cfc9e6

SHA1
4b3ff6a31d775d0b86e62517afbb6fe307eb9b62

SHA256
4d4f7ab30ef5230db7759d545934423aa343acc3e1b0db98c0b81915714e6ac6

SHA512
2a84827f76a9a5367343a4bde984ec733cbe193bc42cccbae4bff05819ae63ffb2b73086e2b688797dc3f430575b23e1d0b4652593cf195af57f09ce9abb1409

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b24bb4600373193cd7015017e3f9863f

SHA1
9955c1f349f72dbb029ca5d752b5bbcc2458083c

SHA256
f276a62d67607198b7f9b913a2a6384ab8189d29c0707c036de25a8503be9a47

SHA512
b194c4e6fcb78cc889f889dc6045e413a646f65b6e1b251c6ded305e8c3006501d9f7d7008ac2363f774b91621ce391fdc62aedf629bd55c9e6ad0fabf06fc84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2999c55cc434a6b4b25f04dade2acf46

SHA1
c938194a1a9fb70e44350f0b2412ee168c3a0e5b

SHA256
1af5b0be940ec134b0d66b4dc2220d816496a992396f135aeba45ca95b6db170

SHA512
f62a6790b08d0788fc89380f7be525b65a8b2f40c7dcee503808b58e98d4cb6dde87865a1e602d53ad286baab50191bfa32df2ec6151c13b97cb5de6ca38537d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3de2fc8677e9945f7b2c7a1621e6ee75

SHA1
15c437daf586a9efbb8bbd8dd1a23e810f8988fb

SHA256
52cc7e3304f3f56cf36937a81ab205b62545d50e2301d17fec010c4ce1d20fba

SHA512
a0b28f949e2e1685d60f33d692b9021ad97f75783f5c08273d1a63b3931f07976077cee0ba3e5ea5b34a3ed2076a733effd0d535abcc1756d6010fb521d875a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
009cf5c933c4d8c6dfdad85ecae120ed

SHA1
ab678cbe5f4505c50d607b6f667090337462bc8f

SHA256
618e8191ebe960c7465c8da1914f77f8fe579555e2a5accf33293afaeb795e3e

SHA512
5f077456bf90712c84545e8bc046411ce859b55f9ba2381275a5090debb648f4fba8e6bb3cd79a3bc85295e59301d8310e3f052d36da9409582becd43c38d195

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fd2c438cbb701c54bb1cad5f24339f5

SHA1
adcd00e80ef3927d76b225d5de4c89f6cf50ef2b

SHA256
577af1a52b8f8ecfba8f494fc3281b05102326c2cc503209fd661d73cb226cd8

SHA512
f8678f3724aa0f22ef8542a77abbfe312992fe729bec8c303774080fb8a04d1280aaa11959a52b0c708d4f86680c2edb170a389394c894ef5c626b08d17938a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ec07e39a67cb58e3bdb85af90a1da67

SHA1
f229df7f546d4b6c047d4fe00282ac0f872b933c

SHA256
129fa3dd654617ed8b3d4898d191aed01409bdbbd6c19fb72d17ad4555c881ee

SHA512
ed136467532854f8ed8467b6076b1eab49ed3ef2744939d2dac041c875c2da11f469ce2b201c576576e6c6a70d110c697cfa01a81e5e29b1792b668a48eba4d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78a0ebfdd90e101154c672c85ded0eb8

SHA1
4b63eb2c3702c48904738fd3e52f49646b921b86

SHA256
063a50e1411bd92ff263561b10f006e410a560e14fbe063a54097e03484a4bd1

SHA512
679545a982a502a4587bb57d70d2a78c81e188a7fc300e4eb365c9025b27422971fc8ff81086a86af4b4de7ab2124294c497d8a27648cace94fa0be0da12c602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a908a01b22fa6ed1fad27de5a365e6e

SHA1
1f10a45ec60d96d0de83b75fa090510be3aa9c8e

SHA256
beebd8614ea2ff829fcb4b3d97dd0ec7f3a28ebe4481fd707b48c5d53e0eada1

SHA512
d10437299726c1b5c87c939c7e77bdb1ecea333be32bacf458cfb769447629f6fc46f7c5be7f844bb6851106069a99927c4c0d7867f802ad6f5f8c54d53c401b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58df2256bf7d4edf060473b947e20fef

SHA1
3916e37ad916803ec494ad5d70f45fd88df5a94e

SHA256
516b61e5d1189d622faf78423612ba4ae026ea0b4a6f721d44cfb5798697fc7e

SHA512
18d9d48483a8ea763c9f0db9017a92eada6c574fc0db4a9f8c793b01b115d66472f0524b4b1b75c56bbf35ea85df2807e6e684af2ce1678176367d8e72de1bf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a02ba36e4b2df8068327a47b50c43342

SHA1
c92c4d65d9f226ad8d810adfc1e7077a838d647f

SHA256
613c72d624e0987cd6047764474f153f4231e44dc06f56eb8fd284364bce14c4

SHA512
880456dbafd28a1642ac9c4ef952c4ea6a60d0bba9213b84fb69a2945e23be13d0a4cac229f95fecbc64e1d8847a7c9a575c074ec3287de266c56e9ab0adfa40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
843b241eba726817f5263b183a8d0e6a

SHA1
eb602cf0a9803893d8cbf00e70097ef1a5063ebd

SHA256
140e155e1d94ed6cab0455750214f88359297c52fb954faee382264273f3d5f6

SHA512
38d1487c1e30c0caf3aeeaeef6a9684c796f846fe164345b8473c97d55d66235b4fc16d7466b20bfa31e26e1c132ec7c0c0fcc3bdf121b00d14be114d44cc2e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa6efd5f4a26c2c69d11dc739141b9b9

SHA1
f06227e2ee169f2cf158f9d1852d9fc3eae9c6c5

SHA256
43a6cc9bbc169b3d2c3b6979d1873c8b829ede9a649f8c9d02ad73164599ad58

SHA512
ee1b8722c8f06a8fdb373a6de3d9711fa01ce40385f576eefccab1989d6fc07f013a354379553b848dc9e8ca5e9e501566656e096688545a6091d1663056d2ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6598a2f9d2b6037a81894e7fc1e8cf63

SHA1
24e13dac81819a8f13f096f8efe3baf1186a37d4

SHA256
aed9e41dd580483ced169e9ff096e90d4e689f4bbe4bd66e8f6f42c92415277f

SHA512
801eb8b64dc41118768b7855447e4888de301c1abd40a87ca1c35c5178b20bb4d3797684fe131242103540398e74ca0fbe2a88bdf27c77e8141f73364609d287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3c266054aa7965b37a92f3a5e202153

SHA1
8687a7c179745cf8df529635dd8452dd10509170

SHA256
58e1f500ebd5333794c8f21bc4364eb7e3575c711a9d5a33192c7ec6b2989cdb

SHA512
14e955ebb99d8322a74ebb014246532dc34ae790406ee1bca448e126bdba33e1894f6e2ccecbc33f6ccf1e16ebf08002d0446c67a1254a6133a46a54a2385e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92f57eb62d387ffa953fdaa18a90ce8b

SHA1
de217d5440d93f158d68397ebc11caa04d26f2fa

SHA256
65c10760534eb62956a15ba46955af81c058587139439d00bb5f717ec0f6b89e

SHA512
41a5cb6fa1b4732d3707b253400524310f2e07fe605a262935e29d3ae8e008e0563384a8e396673fae72881ac4162a5671332c6343cdcac7264c27ea3072a68f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43e204a89b81c6ea02a8f0bc571955f1

SHA1
f53fb284adc9d45ebfa13daf84db2c9cdb3ea7c8

SHA256
56ff686c2865b168bed495d9fe669b50336d921ba993949ff3afd5cb2e708e29

SHA512
75e61476be7b08d9479bcb88a7d335c0a981742f136da3c4dfce296ff4a3f391e147be56d348349cea07b8875f042d554e016d90b758bd6468291275975ee67b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3f3fb069624b8ca4565bc45cac2ff45

SHA1
568ea2fc95f210915721b9deddbe26702ae383fb

SHA256
5f292c8c58a2c20f22efd5eb0718452d72f39a6e34b9bdad7bc33ff8a392e9a6

SHA512
56800d9b7e62851d89502a78d50347636be4d271355cb5a629d6ccdbbabcad42b6cc869f2630930dad08950b3cfdd863acb6bccde2137a6cd3db8e9dd9237b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB9DE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA52.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\kk48.icw

Filesize
742B

MD5
d71245ebddf58e566ead844d16ff45ec

SHA1
7ef9a1c598bc1109c081c672ecb61f09e4232ee6

SHA256
d1ba20e767b223437831439138af977614c816dc918df3bde443ea75d1007571

SHA512
1d1f3e8706ddf6372f6172adfeccb280acad7cbaa6e2897496b1281966cb80ea2ef4a1a3fb4d0a6b79d9d4f88fd51dc8b5ec505c211d3a1e994874db33835296

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\statistics.dll

Filesize
80KB

MD5
cdadfa1995ac40ecdd51e83c0d67bf4f

SHA1
aa076ea83d578e4057ff9fd1e7923a497c133e8a

SHA256
56afc62c43b35ede478c5047be22cd8910022baa1d2d18108088009692e6fbd2

SHA512
75d44c6f643ba1711d823de2314734b2618df5408c4f2bc153796489452e73b15f9bff531fe23b0c34fc5259e6846bc399e17b50d2ce3e3f0d90bfc412eec5d9

Download Submit
\Users\Admin\AppData\Local\Temp\nse8FB3.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nse8FB3.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\installstat.exe

Filesize
44KB

MD5
7c30927884213f4fe91bbe90b591b762

SHA1
65693828963f6b6a5cbea4c9e595e06f85490f6f

SHA256
9032757cabb19a10e97e158810f885a015f3dcd5ba3da44c795d999ea90f8994

SHA512
8aadb5fd3750ab0c036c7b8d2c775e42688265b00fe75b43a6addaefc7ee20d9fa3f074dd7943570c8519943011eda08216e90551b6d6a782b9ed5ce20aa6bab

Download Submit