29239ca8de8085e5a36c6500559dbcddf4b093e90b3fae1cef680c48ed80dbed

Analysis

max time kernel
122s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 00:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe
Size

128KB
MD5

d0ba1411c42bf0f1adcc412ac1acb9c6
SHA1

2e40c3ecf3119b8b7f52667600a1c8b79e228610
SHA256

29239ca8de8085e5a36c6500559dbcddf4b093e90b3fae1cef680c48ed80dbed
SHA512

2153f46727894609c6b1bd3df408e561b9b145367beaa25e807ee9d89d2c8fc939c7e31cf45b56627cd35b49cb08db8ec8a133ce10d68daa82fbdf4f3f4af657
SSDEEP

3072:VyHmGVdAqABoIInoAQ5vgGGtKYoV1KyxIoe:VyHmcuaIIoAQ5oGGjoV1lSoe

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2084	Kzxbxl.exe
2196	Kzxbxl.exe

Loads dropped DLL 3 IoCs

pid	Process
2112	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe
2112	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe
2084	Kzxbxl.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Kzxbxl = "C:\\Users\\Admin\\AppData\\Roaming\\Kzxbxl.exe"	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 2112	2332	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	30
PID 2084 set thread context of 2196	2084	Kzxbxl.exe	33

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kzxbxl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kzxbxl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431830842"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4247AC21-6CB0-11EF-B60D-EAF82BEC9AF0} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2112	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	Kzxbxl.exe
Token: SeDebugPrivilege	2792	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2964	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE
2792	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2112	2332	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2112	2332	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2112	2332	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2112	2332	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2112	2332	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2112	2332	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2112	2332	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2112	2332	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	30
PID 2332 wrote to memory of 2112	2332	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2084	2112	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	32
PID 2112 wrote to memory of 2084	2112	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	32
PID 2112 wrote to memory of 2084	2112	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	32
PID 2112 wrote to memory of 2084	2112	d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2196	2084	Kzxbxl.exe	33
PID 2084 wrote to memory of 2196	2084	Kzxbxl.exe	33
PID 2084 wrote to memory of 2196	2084	Kzxbxl.exe	33
PID 2084 wrote to memory of 2196	2084	Kzxbxl.exe	33
PID 2084 wrote to memory of 2196	2084	Kzxbxl.exe	33
PID 2084 wrote to memory of 2196	2084	Kzxbxl.exe	33
PID 2084 wrote to memory of 2196	2084	Kzxbxl.exe	33
PID 2084 wrote to memory of 2196	2084	Kzxbxl.exe	33
PID 2084 wrote to memory of 2196	2084	Kzxbxl.exe	33
PID 2196 wrote to memory of 2856	2196	Kzxbxl.exe	34
PID 2196 wrote to memory of 2856	2196	Kzxbxl.exe	34
PID 2196 wrote to memory of 2856	2196	Kzxbxl.exe	34
PID 2196 wrote to memory of 2856	2196	Kzxbxl.exe	34
PID 2856 wrote to memory of 2964	2856	iexplore.exe	35
PID 2856 wrote to memory of 2964	2856	iexplore.exe	35
PID 2856 wrote to memory of 2964	2856	iexplore.exe	35
PID 2856 wrote to memory of 2964	2856	iexplore.exe	35
PID 2964 wrote to memory of 2792	2964	IEXPLORE.EXE	36
PID 2964 wrote to memory of 2792	2964	IEXPLORE.EXE	36
PID 2964 wrote to memory of 2792	2964	IEXPLORE.EXE	36
PID 2964 wrote to memory of 2792	2964	IEXPLORE.EXE	36
PID 2196 wrote to memory of 2792	2196	Kzxbxl.exe	36
PID 2196 wrote to memory of 2792	2196	Kzxbxl.exe	36

C:\Users\Admin\AppData\Local\Temp\d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\d0ba1411c42bf0f1adcc412ac1acb9c6_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Roaming\Kzxbxl.exe
    "C:\Users\Admin\AppData\Roaming\Kzxbxl.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Users\Admin\AppData\Roaming\Kzxbxl.exe
      C:\Users\Admin\AppData\Roaming\Kzxbxl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
068c0064020356bda8a2ce99e8ef887c

SHA1
6b3b119bd7f384c12600477885dc5ade69023dc6

SHA256
9cc05e7e946a14ac700a08e3b1d59a8e4904330673d2f15c68905c7beb9f9494

SHA512
2121481c0b4496a670d458bf031d6b1486c49cf0cf332b059c6deae411fe1e47914c98c912e2debd02b8c254d5ce786ace71b0da0c5839ea6e216b644fbf4ea9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91783484b315d86ced3dbd96217eb565

SHA1
03faca9b85c1e81f3e37ea90c10e2227f62b25e4

SHA256
6bf7756fb546a3c041d7086a4ff40a8886164e907a3e7ae06882b1e2b2ba1265

SHA512
76982172222297d711655f9a5d1a7a5bf72c944dd3aadbd79153e71cb4ae563c99d566bf5158f92518089397ece142b32408c31483229319cf0b7e19816730b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
951b33d1fb1229fa53d35f6bfe4c83dd

SHA1
2f6562fdebffc8da1b3ef5ee5ad45dc39d40fbba

SHA256
568665c50050d66de88ac86153f194b881567f03f53a08e89eac2d1f3243c882

SHA512
640d07685faa92eb1de811a51fb3a21bc66e3f22575ff783df9901371bb3e81d3bd1c0f4f87bc44221750492ebda2897371155578be4148df1cfc60aa3da7ef5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eff9824fb868fc4e800334f774fa686

SHA1
a5ff44681849b6ffa91ea50b5333bb6b26da2d0e

SHA256
7f321b175fcf7d7bc9a08214ba73c2d85691153ef91a950b7ef260e4b02be3bc

SHA512
2cc9441a7593873ed3cb978ef36dc70b18e147855f9a4de0ba0f517b77303639303a2d5d1bbabf5edff3c2ac8bc5e0c22503a00889f2b88a472e0a3d89a278ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37c0261688738c1dbc6f4a836c99a7f5

SHA1
ef1679a944b9d847d00c88b6e41d3c18d30ed4a2

SHA256
dd0c8174fd170ad377d1a5f80ba956a7b3ff12242318884ea6000bc39e2323f7

SHA512
30c0643d35489460afec24b6149e594bfc751330108542baf0ead6731ede2a90be9c901a4e163411ec730a5a23c5fb7741e867b3f9df690e0d4bf582318a85b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3379d94087051e8f62762760c0a670a

SHA1
01c95cb8316971362c05c7bf7c97a3346db1fbc9

SHA256
a249c2dfe55b89cbd095b887d9f9b70d9aa03c310fd8513148a42310cb78eba4

SHA512
bf32718827f91b1f85d8a01b2d623d1efa3afcb4ebd85139665dee4472fa33d2a2e28cca7d27b9bc17dc23fdccec3aef7ff548c8a8b8c1884c949d62913e7735

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bab0452cf45a1617dee701ae7bb76618

SHA1
412367c8838e19bab5cef0ceb15c0aadf9e1921c

SHA256
9f09d142ec47abf80e2a6d1aa62ec5834fea56015edd6b2239113078f72350a2

SHA512
e603c2ab0eefb227c0e1ced07bfda98cda8f7b5a93644f813fd6e0641697adf393336cdd92f04178d60e7e0a6ce871d9d4e7480a9c6aa6502311d6cb874a5a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db182ec6edbb826b66166fe6ef952ab6

SHA1
72da7fca139d1efa6c791c5c68aa0d1d39c49d90

SHA256
bea81339efc8f8a318f126899b13d37d34e853490ed4e2d8eb1e90c48dcfe0f2

SHA512
3a23aef4e41908d80292db7da96a26f29524c9c36bddf7c072cb244d4859bd743b6f7fb6ca5fc8d01b7be388e5dd5dfea1c4aa3008b175dbbd63d0640a4a87ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4dc322c90fb0eed210e1347953ac97e

SHA1
a94fc926f4e1bf056f6d63f90d110fc5209045e2

SHA256
7cee842f3f21bfca03eb2eaf8a77972b2c3e1d17e69bfc3de216d57b63569a31

SHA512
4939900654043fb556f0c889d295b5f01c525d321ffac60bddca67741cc6140f355ff921877194921a20f316dfed8a28a9ed52779e77c213370b297bba7cb74c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e019a8caa68a74d1712ae0be0802d271

SHA1
9900fa97fad8bf042ef82e780c03f20a37b186dd

SHA256
0329a9a1a88780d097e47acfe602ae771fe59e07c750e43e56d9c7408e2f953d

SHA512
6bcbe362a120bf25266383b7a8d48291829bc687f901df2da54ad7c9639d4a5ccf4197c6bd306d96c63b4599c78a5a4d9cc0f10b1e1b2377ee96e820dea58e9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19ee0eda01729b36caf3240e03dbcbc2

SHA1
f91ee8e6cd287babb92a372ffb6b4305f5e798a3

SHA256
f397e20d2689ab19d56dea80a7fe1766a873a8388d1fdf071f0b8f2775d81eea

SHA512
64a64d7d7147b36e444ea97a3ae2b01dc1de1f58802f14dab4e3aebfbb02446cfb0a4a5ae6c7e5d67567afd7df3ab923e49f445da6ad769f6fa61606f68b8745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0b9d6f82ed5444f5b6013db34d5f4eb

SHA1
65ccee52ffc6052e8f88b326a13a99e2f534f752

SHA256
a9694128255e38ee9330a732ea76258a29f9c4fa4097337d30aecd2f7127ced3

SHA512
232e43a546f25ad9ee707e08e25a5970d57cdde2cc22c5883e2ad4ebfeef3b428b683d89eefffa6a7cc7f564055a6a3568f0b1bed41674ea4bedcb209ff684b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f836c91acc0e799848620818d3bdf86f

SHA1
7a6089ff0c9c2c6ffb45d22ad5e6b5d7a1a0fea5

SHA256
9395e75c4292f17d6c2de7e03c0a5b918f836e714585e226b563521c79696633

SHA512
42e7359f222c484a15fe63a96cb98732611aa46d36faf02b99d0abdf688560aeb030055b5703baede65397c730265108ffb2551c1ed2b86dca5495ff244278a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98b81509b26fd6cf43143c6b01d66899

SHA1
fdb24bf2f220ab636eb10888a6e369335df21c7e

SHA256
c22d5ef19533a2ca15763f60cda34be6565055663da3370a7e0c20d981dc60f1

SHA512
4203a6361ed1e80e909796988890215c8e508ddb8d754361a4a1e67705fd5f06523a579ebb02a5b4ccff93e0cc92e1d60a6fd71ecd013cfeee20ac57ac38ff54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46fcef4291c21f4d383ca1f441caad0f

SHA1
2513924eeec2e87c8eefb990c57541f5c6b703f5

SHA256
fa3ee96d22a4a8a4567f0249b423e99ef5cbfcafe7b6a0836553504f921331f8

SHA512
fefb146b06df023996cfe931b3581cdef7fb066fcd70a63c56d0e19042e98e9e2abe79556486d069c0475ff8e599030757066f96161fab0e9bf5a41b4870acd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e83471e355b3621827e5af0818cd2994

SHA1
df09f84cc83d29719590e0d1b94a7852e1132d4d

SHA256
85050b37871e559be9314d41c4fb55cbba431c13e37c760b7a7b408b1cf03b17

SHA512
3b08c01f2b9a63bc82f80f388d8ff5f93f959a46531401bd8f5cb4e34e28bf9b5b34e6172630a2e9c6fe343af798aef3b7f09d74e5cab4f55b0ea0c7cabc3b40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30e9194288365dc7731121a7c12d65ff

SHA1
8dffab4495e04302804dc8e2782d24d680747e28

SHA256
86adbd43059d6a2eb9889866294a4531d4486c0bbab6b568ed4a345ca5668869

SHA512
34648af09acc2378dddef57a3159d8f665cd78c372001f20999b12a769aebfbdd56362e64244a6726233d23d9b4a48924ee4462cd2f82c532b85a290809a996f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f078e73658231e76ee8c287a771f4f6

SHA1
82ceff664f5e99550563436a898e7508e15e2253

SHA256
de3631c6444ea7f4826a128189f19a7971ed0a7f6a714b133c2d42d19b9d26ac

SHA512
78b076b1bda29f03e8b7ec1d2f697dec9ac731dd74e9453ac7eeaa5ba6f70548311708cf1774df1277d922b560fa8d9a050837d7d5b0e719601f3192792aa4e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
796a51abc48ca78ddcea0c74540cedce

SHA1
c2e3829f3c63c61fe428f7e3e0f28087c0f2d7c8

SHA256
63f4de13edd049dec0ac4066b834a023713a9552e39e53dbcfb8dabd5bfdb846

SHA512
b52f645aecaddb6d0d620cd408a239256b114dff6489b4960f74ef528fd77b99fe051f54e9322eeb91596b1689deaff2037f2431ef4b1dfb7144f07bee795722

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab25BC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar261D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\Kzxbxl.exe

Filesize
128KB

MD5
d0ba1411c42bf0f1adcc412ac1acb9c6

SHA1
2e40c3ecf3119b8b7f52667600a1c8b79e228610

SHA256
29239ca8de8085e5a36c6500559dbcddf4b093e90b3fae1cef680c48ed80dbed

SHA512
2153f46727894609c6b1bd3df408e561b9b145367beaa25e807ee9d89d2c8fc939c7e31cf45b56627cd35b49cb08db8ec8a133ce10d68daa82fbdf4f3f4af657

Download Submit
memory/2084-20-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2084-27-0x00000000002A0000-0x00000000002C5000-memory.dmp

Filesize
148KB

Download
memory/2112-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2112-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2112-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2112-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2112-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2196-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2196-29-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2332-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2332-3-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2332-1-0x00000000003C0000-0x00000000003E5000-memory.dmp

Filesize
148KB

Download