53c727bbcd1c528197a19098f211ff4c283eb67702dfc27f3c7dc3072d4ac7ab

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
Size

807KB
MD5

ea9f7c7104876904b98924cfb80592ff
SHA1

ef6b6258e888f8342dfebc3983cfd5d503364751
SHA256

53c727bbcd1c528197a19098f211ff4c283eb67702dfc27f3c7dc3072d4ac7ab
SHA512

b1891837f179259179b28ddeaf228e74892280fa682cbed1fdb3f996089eb3662a5215daaa4ce666fa72a3fc6f13754e32beec031daddf8f91099838776f71dc
SSDEEP

6144:vBte77LdSLxq9RGd4aGSs7LdYShYDz4o7fBn/bsosYHKcdw+vWqH1liP3f44fQdV:vBtQ0BGlV2Dz4OfPu8WqSfQ

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2112-0-0x0000000000400000-0x00000000004CC000-memory.dmp	upx
behavioral1/memory/2112-449-0x0000000000400000-0x00000000004CC000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{38910FE1-7643-11EF-A742-6E295C7D81A3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20464b0d500adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432883523"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000080bbf3e2d96f991d57ccccddda49b8d5ea513cae7e7855f9c9390176538fb28c000000000e8000000002000020000000a7b09ded968111d29c460c0c7a9f1a12389c8bb770a783252d21b2504ce575a29000000062725110ee06b0b2d6700560cfb73a9b0505a981f2512202222e0cb7972513be072f3d22cadff74061dedccd20e09d8e46c75e446277551615c8fb418e7979085c04207a41f1899ec9dd0f1c1cfce41cfecbbc67102007e7ff1835039ab45a4c0eb70076c014bc384cbbc74d6580decfe87bc6414a81fdd1eff2b901347cd6ff8b8a2cf0a93c9d5c113d80eb1887b5bb40000000a8d0edb16136a43eb433d34cd802222f2373df4ca07b9a24564567e5aa54a371f99f83f908133c2021ee7040ab4bcb8e0dfb14ceb506a4d18a84d7f9761c2f86	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000b8ea7d8069d984584fc81a3402819fb0f0ba12269fe9a08f788b3d5f98746f2a000000000e8000000002000020000000cf3cf473c48d9998432306169862cfdefb9bfe95c9ad546c890ba168e4bb372d20000000d9165abf628e65f8505c86930c7b0b60c01f242fdb5d428da2fa210b3cdb0d5d4000000090b2b54ede1da88c9493c64b5c5cfa51756eaad1251382d57cb21be7fb1655809e2b13de73bfffe5749c368fa3e74d76ddbfb519a3ce1a76126aec0a1f9c68e9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2572	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
2572	iexplore.exe
2572	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2676	2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2676	2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2676	2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2676	2112	ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe	30
PID 2668 wrote to memory of 2572	2668	explorer.exe	32
PID 2668 wrote to memory of 2572	2668	explorer.exe	32
PID 2668 wrote to memory of 2572	2668	explorer.exe	32
PID 2572 wrote to memory of 2740	2572	iexplore.exe	33
PID 2572 wrote to memory of 2740	2572	iexplore.exe	33
PID 2572 wrote to memory of 2740	2572	iexplore.exe	33
PID 2572 wrote to memory of 2740	2572	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea9f7c7104876904b98924cfb80592ff_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\explorer.exe
  explorer http://649797888.3322.org:520/
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://649797888.3322.org:520/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d610a37680c20bd0d46b01c404c15fa6

SHA1
e87fca0e1ee4e5e647f91c105c32c4e424f77ee7

SHA256
3877884d4188de27f9e876c01268758915ba703c92304a239bef072b81b3623e

SHA512
c437bafec1d3b7a52d070d27f9e83fd48a5087827a0d20f10b0ea13df65c98b0aa01b3ecd51fd3fec2e546b7d76ecc550bd3180d8e958c556b5cf33cb2dc3052

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f429cf3cd3d88073f34b4b858e5214f

SHA1
e94919a6091417199cc84fe76f5ba60bf4c84955

SHA256
f53186bc31190a466aefc5b9eaa21a7c92c81f6723a3df6989ec77d6e49c39fe

SHA512
9b65af1cc59114a2e8e9afbfe380d3bbdc64029e6a9d374c7a3b6cfd8466453fdff1736d8a4eefd3e14f589148bc3803ad4e6050d6cf1eafbacf6f68d319d225

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f61c87953de4673dbf5654cdfd1e3ab

SHA1
10978b5b00eb64c5791e9dcd806c5a0ecf4170c7

SHA256
8f519c32e8104233c68bb012ff46b0e26e578d03c320b0dbf8782ca318ae2ec9

SHA512
eddb54ba9332c8b40bbf9e091bfb8b2c40a9777779f29d52d9e71b580e12b7958cd5f2158eafd9cd8e1f71cd6605cc009b33a5d054a65f06489d2225a00abf3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70e09a1ce91582fb1dbd5054e4080e0b

SHA1
3f9d7aea2a3a9dfc6d5024b69143bbbb44298085

SHA256
abc8045a118f85ab026685c450d0033ee696f9569a8f39d3a24a9635e66e1a15

SHA512
93156a957f91ea13f6193b5df50dc27b98622da39f9182fefd59074d75b312358e0d693641fac7a0f96694968676b98008cf42dddf87ff7567b16e2fd4d2fde8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be6a4f93a696e77fe6d67983f9c7091d

SHA1
12e4de7168cd07431f44fc38a11a0f85f35d0268

SHA256
cec3f885a9c85e673db12adf2b88baac24945ff173bce4cfa02ef29adc9b55fe

SHA512
29449192267b609fc380bd16327f581ac383ada4ef9c6ab82fb8b35f7cf5c32ec095811efc74df664a5c4075e5c08acb70503ba0abdbc6f48c68ddb268cf50d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc408e0410b4d794cf8057c32b8dcda4

SHA1
4c7c22894e70d7ce636039c33050505ff2824d9b

SHA256
27c9fa35e5f001e3a30736709257b51e22d35418892661584acb178716dda32e

SHA512
70ff55ea0d708c104da3bbadfded6cf838910a73bfc4ac5de53a7c9d43ff1c62eecba01c1ac04a3e0fa5cf5b6879fce2c136679fa1d8afc618af44cb1dab01da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0771a64c73c5fd6d58ccae277d0b28d3

SHA1
75926034c849e13e043f0613e19dc7909909219a

SHA256
dee5260607b6e17d96eb172ba37771769cc4cf345e6d47c7ff2364b843a14698

SHA512
09cef650e4dedb67705df1b8548f501c767f548221de49d42e8469c622d91b0287e5669f7d6c7d7fddf6f2bc204b6c6d6061b84e115b402196941304a933aae4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
672ec9e4df971b3d0311b527c1fd0e6a

SHA1
743222df86872b86cbbc4aa4da8348fcce742b4b

SHA256
2e62483417f84730fac92336d19dc8f35c9da31a6808e33e5061dd3a154d0d18

SHA512
89734c643cb6f1bc985d360ebddc1d2d30d7d9cdfbca2d80b7f679c9347a0aec374a50fae2d93aaedf54cdbf960ed9cb3853c202ff8a31a26be8e3a41078b6f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5989b63e7972b8266effcc6fbfcf9898

SHA1
34aa112d8ffcc064128c27029807dd7000014e55

SHA256
14207ddd87f4bf9992e1a67efa93132dfca914f10cce0a874d135aa599ea870d

SHA512
e7ae03d8c9dee777379418c05aab677b3a415d711b09df9cf794498e12cba380db4bb6c7f75ff630bd85d2c360e74e6260fd75f6756c6fbafd37da440adc71a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ed176eaf2fbf3642838fd09e2ce1594

SHA1
99df72c831471fe8dc566000886e0eb0860f5c46

SHA256
9c7d7ba94cc5cea2829b5550f31f1d7263708e51f960721eeda59a4e509541e1

SHA512
3ead3580a2d9eb7a33ccdc250045449afa6a1e8809390460bb8c6e3940a650c7bcc135f6225d9d229d0cc5f3552107180d26b18873cc1ca3d3feb35a644e54ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a01d44c869863b6be4c5f3fb54927283

SHA1
559330f88ec7537792a4c123e471ca982b5e5775

SHA256
d75e64293b05ed0f0bf0c5c677dc1f04e3e41b80df3635c4008670de2f10af38

SHA512
c554b540695daa88ee78008ebe91a2090c33a70680f11f01be6ca9d7c58242d07fe99c3149f039cc65a1481ecc6201a28c52254625a714ebaa9f96d6e1e36c35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cb4b3a298fa0d3e2cabe62cdd6bef31

SHA1
f65a988fa484f9eee78b47a3bdb2c3e1bcfea294

SHA256
37976acf3d9d2b69210278c908e5d2d172c286649e8a51fe534afca03a515721

SHA512
95114ca3d1a6c1087598306e63588b8461cd5b716851a5319d88b26150f429b545440b3f2d5793394129a8085c2e7e896a8fcf5761031d887e045e3d7dcd9939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b82bce1194d6f1e3a878056232822cb1

SHA1
107b56fe5b5184ffe934cc59982eada1af86082f

SHA256
3e5d30b986d06532d13307c83ff44d29f750102af7fb94409bcffd6718adaf1c

SHA512
e8aeeec4095b9f1768c3ca612205e7784803f6f1428ad8db36e68346a17547c869cc2663b9c5fb4517d08c96854d4b61d70c93b298a8ca47995cd1205bbb5abf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
378209ebdd3971aacd0935bf9cfb431a

SHA1
b7bdc6826d0d847571ae485eb44f0b61aaa0d00c

SHA256
5c42dced154535dec39fb8ea2b0286845a28644fd90036ccb2616ce38c427302

SHA512
5223a6f83086e5fa44dd09fa1897c1c21765de79ddc3880daa654f2cec482db64ab4f527e21a9156c31160ffa7d0473dd7a8ba7af40877304f36b632b70b55e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
433a01ef97e06d444eb7bfbdbd2181f3

SHA1
3c08fb633f804d2ea011e74585f31fcc155dc1fb

SHA256
488d25579d74c67c9e35366c88816716975b1bdd0b175a3be84be6136fe027b8

SHA512
cb29f07527cae56cf5b1f5de523a337a1f313356204c08750f61df246d69d4a0179f461b51dc78d44714e388aa8d3a22bf11fff4951d5d0a5b697aa1541b4590

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4928f12829abe0ed4262f0436135c4d2

SHA1
5d013e9989465ef684f6761d2c88efa27ae68002

SHA256
b7bd4e1750240ce52ad9663f80f7c766e24caf1ee62d723481b1a83854cfd527

SHA512
28d5e9f465c629b12a8fe0e3f16ec8ebfe735007911c9342beacfe08f09d03cc431df0e9fbe49f0942b5e72dc6cc3f77081b392f7d87d28cf0e6880528706279

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8898bc7dd617759a8ad77f59be0795a0

SHA1
1ce8909e7f70d57752459bee96041f5cb04d2026

SHA256
239372c0334346294b8003f623bf33c25d314c8db6fcb2a9fd47e0dfd0db7848

SHA512
fefbcc3d4075084e6ec31fda3547ef8b7af5fe123843192060a6f06517e7ae8d6e5adca8bf9f6d6142ef3a4859df09737149a842a9eeba204f4e9bef8a954a90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87e9979a630526553cf23671f8dc9a11

SHA1
879404267a8307877d98b3476554b8d34ed58ee5

SHA256
36940df21bc06b673b0766d2731d84005ea598683ea4f0f6755ad9fbf98e86b0

SHA512
24c7db7804c3939b075a7c46e3342d32ebb6611f4e99621593d6cac00c92c7da6a196ebd8545462158d1bb5971407fd724df2e4da48590f9a9e9caa45ac5826f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa569d87a54f2ce038f84ad7604c224b

SHA1
61be0897301d39b9878ad983ffd38572fd1d9cf9

SHA256
516eec1485f56b70e6ebd5f56217464e89eb96ac657497342f7242ecf9d8763c

SHA512
0309089ab8bb05abb57e093cb64aaa590403a38c7b810de64c6d3edbbd8c356084f412aaeb12bf3fac685a09a4e1fe8b472321bebbf9adcbfa16826202fbb409

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab121B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar129D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Favorites\Íâ¹Ò×÷·»¹Ù·½Õ¾ [www.zuowg.com].url

Filesize
110B

MD5
7c8c531ff6a158742da186b1fad6e00e

SHA1
98d4551e0d6ac034838a17437640f3335edfaa86

SHA256
00ddbc71282fdbf74b8a02cc75b2c3d66529fe7664c148cc0ca79576a883c501

SHA512
1788173da6e9cf7e5421c02854ca9122d0825927f33fc64bafb76377ee80c0e1a8112c36ee40b1cbce86e121f864777e8ddf9aecd282f3cc82b70e12cc904805

Download Submit
memory/2112-0-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2112-10-0x0000000001DE0000-0x0000000001DF0000-memory.dmp

Filesize
64KB

Download
memory/2112-450-0x0000000001DE0000-0x0000000001DF0000-memory.dmp

Filesize
64KB

Download
memory/2112-449-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download