589c911b88667a5d71cce32dedf39b609cf047947824c2ef03c9943ac61f5861

Analysis

max time kernel
81s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe
Size

1.2MB
MD5

ef74f29fa2307786d3ba3675148a996c
SHA1

d485bb0ea460ee1cff79fab0a74cceea9e44bd79
SHA256

589c911b88667a5d71cce32dedf39b609cf047947824c2ef03c9943ac61f5861
SHA512

d24a64d1094bcaacbed05f3b762ab9435c9ee2832ee579781f56169604de89625bb9112298b95893a5b779a078960ca4f4591630403da5bc4a8fb947366453d9
SSDEEP

24576:MPoIBRtXSk8N8Cbw5yLAYNE2bGkaN2Sb3iH2GIBSrWL2jB5iJ7:MPoYDSVN8Cbw5INB7g3urWL2Tu

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\kiss.she	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	yuyanzhe.dat

Loads dropped DLL 5 IoCs

pid	Process
1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe
1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe
2808	yuyanzhe.dat
2808	yuyanzhe.dat
2808	yuyanzhe.dat

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ecBgzjz.sys	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\supereczsR0N.sys	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\WINDOWS\Help\yuyanzhe.dat	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe
File created	C:\WINDOWS\Help\1.dat	yuyanzhe.dat
File created	C:\WINDOWS\Help\2.dat	yuyanzhe.dat
File created	C:\WINDOWS\Help\3.dat	yuyanzhe.dat
File created	C:\WINDOWS\Help\4.dat	yuyanzhe.dat
File created	C:\WINDOWS\Help\5.dat	yuyanzhe.dat
File created	C:\WINDOWS\Help\6.dat	yuyanzhe.dat
File created	C:\WINDOWS\Help\7.dat	yuyanzhe.dat

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yuyanzhe.dat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b0000000002000000000010660000000100002000000029ef4e1720e58ebcfca2d9b3381cc8be7d2679ae944e434766f8390ee5c7fd27000000000e8000000002000020000000d5e992903a7eddb1001f1fb09a68b46e11571c394e1b8ec7a529c318888cff2320000000b45a9a2eb2502fc6739d03a416851988986638be99fb2ca52a5dc45663ce627340000000e39939d67dd009176c386b842b6d513219641f8c5b054fa84b309ed76a9005c22daece573e6721e37e14b20361b1281fe7154516d9a9c24520402681ba03323e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{96529A31-77F7-11EF-968D-EE9D5ADBD8E3} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433070944"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50749c84040cdb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000b53d7036c51c4c83f9844e89d723bde51643bae115fbe40d8d2b6f08fa0c89c9000000000e8000000002000020000000263be7de0e4710f5f9d90e30387d2eb2fd07a34665055897c1aa426de071f82890000000594e429506b7869d792a296318f3ed432accc48a64fda47392d08d89d4c6cbae31aa6d2f6f816e85908173bc7f3e7c69edb89202fbfbc5b1b64018db3d5dab4f446c7da1a66b281c47943cbb8c1e78bfd81849adbdadda93b9513d9f59bd155d3d813981ce38efa3410eb9865c0383945304cbd1847b7f6d8c89a03084d46d4d49a1090f67c6133dfec8432864fc90b140000000679f38dd462eaa06b1441b889757c42867221199ad0e8482f9b4330fd926c17df9a01e683254d33099a01bde01fff949c982e9ed2b5ea5f96ff25434bca351f2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
464	Process not Found
464	Process not Found
464	Process not Found
464	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2696	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe
1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe
2808	yuyanzhe.dat
2808	yuyanzhe.dat
2808	yuyanzhe.dat
2808	yuyanzhe.dat
2808	yuyanzhe.dat
2808	yuyanzhe.dat
2808	yuyanzhe.dat
2808	yuyanzhe.dat
2808	yuyanzhe.dat
2696	iexplore.exe
2696	iexplore.exe
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2808	1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe	30
PID 1040 wrote to memory of 2808	1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe	30
PID 1040 wrote to memory of 2808	1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe	30
PID 1040 wrote to memory of 2808	1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe	30
PID 1040 wrote to memory of 2788	1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe	32
PID 1040 wrote to memory of 2788	1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe	32
PID 1040 wrote to memory of 2788	1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe	32
PID 1040 wrote to memory of 2788	1040	ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe	32
PID 2616 wrote to memory of 2696	2616	explorer.exe	34
PID 2616 wrote to memory of 2696	2616	explorer.exe	34
PID 2616 wrote to memory of 2696	2616	explorer.exe	34
PID 2696 wrote to memory of 2180	2696	iexplore.exe	35
PID 2696 wrote to memory of 2180	2696	iexplore.exe	35
PID 2696 wrote to memory of 2180	2696	iexplore.exe	35
PID 2696 wrote to memory of 2180	2696	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ef74f29fa2307786d3ba3675148a996c_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1040
- C:\WINDOWS\Help\yuyanzhe.dat
  C:\WINDOWS\Help\yuyanzhe.dat
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2808
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" http://www.9yiwan.com
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.9yiwan.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32983d9fae37875c9f7fef7dfae63732

SHA1
204dea9d8c3e20f073fe2df0bead1412c9014999

SHA256
c875fab6301d77fd991f5bef977b76e1e4b92d2a3b117b6777b7d4ca4e2fcc22

SHA512
81440cd385174ead51e229976c198779ca0956da040453996e6f2e132f93fe830e27d4cd51a0b2a597206f20c05720d952c4fd347088aaed51605955d77583e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7e91e4f444c010a839ea5ffd7c2a85c

SHA1
4076e8a92fc081cea780bfa84ec57fcb4d6144d6

SHA256
71ef0b95b65ac8d396a97bae79810b6f98bf1d0f9540a41ead39c56702f11af1

SHA512
7c3c374510830b816a8c8b4f72f22cd04641e706f7feabba5eac8173d2304d8652b4651f8c55b5da91fac2e1eaaab41613e2894c8b902952566fe0b8459a7b13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
975d07ebb353e025e910f2949074cd58

SHA1
35fbb8f57045ef5cedbcbcdbd3854338afee2b18

SHA256
1d3edf72af9c62d8a115ad8c08e8216e5889a2e0d230d10ed0279195e15297e8

SHA512
d186042603739de2202c4419f1e1a0adf6c8f23bc2088ea4dbea4eb869d9a02e5abe341c4e78d120238d846bf5c015c9b99c967267c179fb25a6cebf2763546c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4d03bf93d5ce07835e934c91ef1dd61

SHA1
e335aed42b658529e96f1bf7b6bc04235fe7f1e6

SHA256
11141868a3020a985e20da0c0ddacd2c8ae18bf209543fac3cf1d55e42ef0453

SHA512
29faff83c4c4dfd91c5eab6cbae27f875e509f53bacdb2f20cd1dae568f3f626404057a735d913e39e2d33addaf5e78ba2d6a1e483888c7fee82486e7d0502b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
874b5596e3b35ffe8b1c8316f421b09f

SHA1
ca4d9cd2ce04dc81f97aa28cbb4bb3738f52d009

SHA256
9d9dd4f8326cca0566c5124156eaec670452bb93182633bff1c15f73b7349b50

SHA512
36c2639ca6e7f9b339a0fa473d894ff75430be7e61e4cab5236c35975cfd0ed06f75bfe6605367bd5781f26db2fc63782f6509c7864d029bb3ebeb39f8b8159c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e09073277934a8b54125cd541ef2b65b

SHA1
7e47aad435778c48c6b3192951200288ed5afbf5

SHA256
2eb848f2265cea7286fc96e43bd0d991f4d672d3610a21003357c8a6c21c531c

SHA512
8342be6b6274fe5b2b8eb2b2d114ff2f6f92e81dfd309c73846c236b4879de81d0f1ad82bf4a53c17a57e6585a17c3f7f378542656aae32678cbad17b9d2fc3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
439a7736cc43268322b5d1f6cde6c773

SHA1
0613fdd6d01ef2e187e98993dd13c5ee1589c737

SHA256
126771410412a7cc64fabd79a3fa579def1aad5fce7842c46383ba69cf3ec5c1

SHA512
79a044d3d62b3171f9009ca5c4001a12d0605d52e80e7db835625171da1e5200df334c6b6097bf4cc48d8ac8f8b51bed46f0291ec8f8c379f3bc8e5ddeca7ec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c90bd8a19c15737e3a8f8657f35fb909

SHA1
8696cd07a2332f74bbf544bc7dd41539e9a47535

SHA256
0c06b091c54cf68ab5b9ada764686f68b6bd661588590177d0fadd554ccd7436

SHA512
7c51299d8beb351de6db6cc1e7a094ddac52aaf1c921dc0762ae3cd2a49769520593499bdf93d90f3bb9c06a521518334f25db96b9f0164e5eed318fb9fa8e81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d39bc61794faa956ec58b236facab4b

SHA1
549f31d7a91e0ac657c6076ce2cb5734924d7b84

SHA256
da2d60496b72096ff36aed029a50f1f729f4df4fba891eac0e9cae878331070c

SHA512
280efa9261ff7f1c977200d3d849bda1dd9e20482d1d25af1998cb08adb8f2128866dcf25fef302a512eb7f1bdf7429cc69173b5eeacfb48ff87b2a925e85b52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2401e212f85ad3a7ff18cf0f6c9655b7

SHA1
95019b42652c9b6f7812d270eb312bff3ada1bda

SHA256
ea9a210f5daf75e2e3e72434f7abf8e89fbe17728ee581360ce471e06bc54907

SHA512
f2b3951d988c13e1a556771fa08ef91772bfe0f04a9030dcc92384a819a5d76bdc7d9316f166460357205baca8e2f183cfa7b70552df750633cca07cbb2e4282

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
796e3bb3c5fbc8db124222c4494b35ec

SHA1
e62dd9c590c4bb4fd915b06de78637a6fdc735c0

SHA256
d338291e213b62d9aa7bbc740e2592381e6cf9cdd356e195fce16944f4850ba7

SHA512
9cc1c9a074d97360aea71c5ad132f57e289b6b734df4597816d20bf3204340edba86bd1c00debd42d621f313e51740fb286a41349c1c37e8bebde1af1d71de2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecb60323a5e69a4c0583505f55ba9c1c

SHA1
64acdce191ca60538c6cb42191957306c957f1a0

SHA256
6e18dfec8272652c9938e122ab0e7a8e486f70d98c942669560b063da08a67b2

SHA512
c80998c9566443aa4b9be0a2aaa6463ecaedc57f8dea6e73e118644e49e09dd177878f68ec64116c8d8d12db662e0e0ea8e38cb11bb51ce0b588a7ea8e5e4b92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fd10fc46a05e15a3c17b95ff7abb121

SHA1
598d47ce3ced7ab2f1ccb6c06c74a1dc7c34fdbd

SHA256
62d835ca00d0c0957e0b446b4df5620186c082945d658c48e8e2736a519a9fc1

SHA512
311169fd01363a99a481c09545394e3234cd897027ada9ddfc12dee1629b335c7f16558a4aa7118da6baa69b55b332acda35b899be94d2df6eba34e73f5de867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79c4893fd639279ff1ce983c070eb2b2

SHA1
57870dd7b6ad8fb7342184c56c4edc3be8744fe1

SHA256
b55abc922db278c3d35715aab82bbaacd203123b9d16e1e8daa79deae721c450

SHA512
c322543f558ec8292619e6075494ca7798bba3b4a7d68acb9a7c005187dfe1bd1d485e3a04eaae93a1e2c55b49437dc79d5271ebb6b9e958c042fa547ddea454

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95375765346f645ce1c5bf286a8d0456

SHA1
ac637c896c7b217dcc1ced94568c803929ba429b

SHA256
3a13bfcafa6760a156db0a629998749878118b562ccd147a527c82da069b2537

SHA512
8e5e67a29a3f54a0529868b550162e60afb063915bc5d799f989d9016fbaebdb12b1101f578347d51981528ca02a2a10008a89239c065a3966aa8099483ce3a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ea452d28301cde1a9120b34576289b5

SHA1
7a46d99e8664d79046a83b4c8ade0a6359e22267

SHA256
ae27e8cddeda15ea90e002278adc0401f05663cc1b35dfef8939417880a816f1

SHA512
78a7c6ffe19ea3fa977bf8d7efdcd1ef5f623f1c3f439f90b052309327bc206651ce1d20263976e66646accfe272d7a6b76a70414718a35b28fa13dc51afb3fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64f22d215b04b4735b7eb046db11be09

SHA1
4ca11dfc63801a400f250af8a85c45963d6b5559

SHA256
615bd41b7939bd27ca17664a050f8fa7f236ad4bb0638c8b1a012a5ef3cfb9ba

SHA512
df31356b10f3ce2766ef73e07ad2e26dda870e6e1c275d69be4fa69bf19e2d2154da33a57c42967484e21c515de04204de856730bfadcd585e82e07ae2c62890

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bdeccbaaf209aa02ef7f19104c9578a

SHA1
b34f03d7b179d1557a9bbef68e036a3e6bfdf098

SHA256
a402e1198bee856b71b3a8f2637844264623f72d96a5e13cee45c12f11499ebd

SHA512
64ceace2b03b44a4dbbdcf4ad3588996d72a2e77e4d10e510c4c15497eafcb9b91f8b71b11e32bc5362187c5e1e928aae353995111eb71d36e74a1b3c82634ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c5e2fcb13cdd298a034a23110bc2a85

SHA1
26b52611f514e17812c712fe7a689dfca471b63f

SHA256
ddf506f27ea49f653051c2a734840a1a424cf6f8bd19f8b3d14ffbdc05a31c28

SHA512
bf61ac7d0a2d2d0a90b79866ca936b48d1c5fc91778dfccdc5280699480c0bf158dae4a4795ae381f979e0280caf0f7e4796fabb7747cb7e3a28f36aa4001dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8884.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8952.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
192KB

MD5
0503d44bada9a0c7138b3f7d3ab90693

SHA1
c4ea03151eeedd1c84beaa06e73faa9c1e9574fc

SHA256
7c077b6806738e62a9c2e38cc2ffefefd362049e3780b06a862210f1350d003e

SHA512
f14dfa273b514753312e1dfc873ac501d6aa7bbd17cd63d16f3bcb9caddcb5ea349c072e73448a2beb3b1010c674be9c8ad22257d8c7b65a3a05e77e69d3b7a8

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
638e737b2293cf7b1f14c0b4fb1f3289

SHA1
f8e2223348433b992a8c42c4a7a9fb4b5c1158bc

SHA256
baad4798c3ab24dec8f0ac3cde48e2fee2e2dffa60d2b2497cd295cd6319fd5b

SHA512
4d714a0980238c49af10376ff26ec9e6415e7057925b32ec1c24780c3671047ac5b5670e46c1c6cf9f160519be8f37e1e57f05c30c6c4bda3b275b143aa0bf12

Download Submit
\Windows\Help\yuyanzhe.dat

Filesize
701KB

MD5
b0c54f02bbdc2f4c746dac2f9734740a

SHA1
858775d7fd56732c1f99fb403eeec4c95eeb4a5b

SHA256
69649fd2234c05e1a8c04b777a17bdb2d85e60a7de246a53cdca30cd34fd7c8e

SHA512
40eefe0e9b004405738ff612171f03e343eceee6278275b93d4c6afb5ab7c94ea9847ea918ef01aab9e63e35a6e0c9108abfb5a87831b5fa63c4336b6c044680

Download Submit
memory/1040-0-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1040-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1040-18-0x0000000000840000-0x000000000084F000-memory.dmp

Filesize
60KB

Download
memory/1040-3-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1040-13-0x0000000000840000-0x000000000084F000-memory.dmp

Filesize
60KB

Download
memory/1040-35-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/1040-34-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/2808-28-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2808-20-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2808-36-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2808-31-0x0000000001D00000-0x0000000001D3F000-memory.dmp

Filesize
252KB

Download