e62f391e03b142a6c43a755f8c7bdbe06d67cfc6366bf982e7c58caa18ed8e03

Analysis

max time kernel
137s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe
Size

3.5MB
MD5

fa1f98dcf2716597118c4b5631c2779d
SHA1

416930b507b2f949dd970b8f706df756f9dee66a
SHA256

e62f391e03b142a6c43a755f8c7bdbe06d67cfc6366bf982e7c58caa18ed8e03
SHA512

7426a4c3f20f50677025526dd18fd2319a8360843147ca54f54649b544c923375a04213f5307889032b0249d73d48d2e1fa9e3c7fec0b23af95c64642db16be2
SSDEEP

24576:CNrA23g8jBbzxVewrO+4ILT27q2cqKHJKd+jePB/Q5z8Y/1iELi3AicfkfzVBEe:CVJjBbFVe2ODIX6qxMd/P2wN3Aic6

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}	svcr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2bf41070-b2b1-21d1-b5c1-0305f4055515}\StubPath = "C:\\windows\\svcr.exe"	svcr.exe

Deletes itself 1 IoCs

pid	Process
2712	svcr.exe

Executes dropped EXE 1 IoCs

pid	Process
2712	svcr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe"	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Windows\\svcr.exe"	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svcr.exe	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe
File created	C:\Windows\svcr.exe	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svcr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433590093"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{54FD4EF1-7CB0-11EF-A96C-C6DA928D33CD} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2648	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe
2712	svcr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2712	svcr.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2600	IEXPLORE.EXE
2600	IEXPLORE.EXE
2572	IEXPLORE.EXE
2572	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2736	2648	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2736	2648	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2736	2648	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe	31
PID 2648 wrote to memory of 2736	2648	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe	31
PID 2736 wrote to memory of 2572	2736	IEXPLORE.EXE	32
PID 2736 wrote to memory of 2572	2736	IEXPLORE.EXE	32
PID 2736 wrote to memory of 2572	2736	IEXPLORE.EXE	32
PID 2736 wrote to memory of 2572	2736	IEXPLORE.EXE	32
PID 2572 wrote to memory of 2600	2572	IEXPLORE.EXE	33
PID 2572 wrote to memory of 2600	2572	IEXPLORE.EXE	33
PID 2572 wrote to memory of 2600	2572	IEXPLORE.EXE	33
PID 2572 wrote to memory of 2600	2572	IEXPLORE.EXE	33
PID 2648 wrote to memory of 2712	2648	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe	34
PID 2648 wrote to memory of 2712	2648	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe	34
PID 2648 wrote to memory of 2712	2648	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe	34
PID 2648 wrote to memory of 2712	2648	fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe	34
PID 2712 wrote to memory of 2060	2712	svcr.exe	35
PID 2712 wrote to memory of 2060	2712	svcr.exe	35
PID 2712 wrote to memory of 2060	2712	svcr.exe	35
PID 2712 wrote to memory of 2060	2712	svcr.exe	35
PID 2060 wrote to memory of 1720	2060	IEXPLORE.EXE	36
PID 2060 wrote to memory of 1720	2060	IEXPLORE.EXE	36
PID 2060 wrote to memory of 1720	2060	IEXPLORE.EXE	36
PID 2060 wrote to memory of 1720	2060	IEXPLORE.EXE	36
PID 2572 wrote to memory of 2144	2572	IEXPLORE.EXE	37
PID 2572 wrote to memory of 2144	2572	IEXPLORE.EXE	37
PID 2572 wrote to memory of 2144	2572	IEXPLORE.EXE	37
PID 2572 wrote to memory of 2144	2572	IEXPLORE.EXE	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37
PID 2712 wrote to memory of 2144	2712	svcr.exe	37

C:\Users\Admin\AppData\Local\Temp\fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2600
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2572 CREDAT:6370306 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2144
- C:\Windows\svcr.exe
  "C:\Windows\svcr.exe" "C:\Users\Admin\AppData\Local\Temp\fa1f98dcf2716597118c4b5631c2779d_JaffaCakes118.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
      4⤵
      PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a65846ad9f7cb5b2effe6d3f8c38931f

SHA1
deab6061d06daea2ad4f7a1ad137449f5468d637

SHA256
e7af7cae2f8e8c1f778852eb7602642cb272e3117b2b49223f7dfc058823f04a

SHA512
52f4870ffe7d0b1e8fd68d6949fbc9bd5f148c94796da3b4fb0b4cc2814fa1ebf256b55af1049364f3f069a538ad2cf888e5c7e66531e58fe5e26a82ea3061da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eabd7cf2d603e181cf89b1fef581e06b

SHA1
6d185a583c8c3de07116c0771ed02fee4ecb56db

SHA256
0533f681c14a7de4b6f39ad1d2f3d1cf6ecbd5a4cec83429d4099b7c66664040

SHA512
98ae1f130f9ce71f4c652e774514a87c93f7d193632c209d4e3108a4127333733b00d0af3929dc150d1f55eafe6565c40479e545d486bd85a7a01b468426c275

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5594fbb6132b826c3be6f48c35d9e3f

SHA1
6dab1ebaad6fc1d4849779bf9623fef52c7b9e9c

SHA256
f1b87e13359d9d3ff1929e9f20d41f850d319d4d432e6e644a50a546ca4aeecc

SHA512
c86b009e558e208f738ecb57098bf6a6f1bccfc6c22f01da8f6fa7a36c01737c7ec58606dc6b7097fad7ffc2e6d90a0acdac00bf30e5afcced6bdcfd1981bff8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c8de5af8dc9568ed14dee1b6091e2bf

SHA1
019703be29d16764c2302c6a7d9abdd24d35d646

SHA256
5ac42a2b77dc1820e15952a41dfb155c7c8d18ed4be00d92c7d27ae7bb3661fc

SHA512
497791b09a333bc92cb6740d0cae48b9584cc11cc4cfb0d7cf544698e12e5622dcc2b54b75516aed3e96703ff68fd455ba6975dfca0d41c16d8effcf61afac53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f595c5310599000e5dad6e83f96c7384

SHA1
7970989d652504e85fd98a78409c0994d2dfaab6

SHA256
447cb9c41df97b8526a0772d4e626df1cfc3fe01ecd7e0e9bfc45291ca5d4453

SHA512
71d60d8045251d5ca1848ec77d2a3a59bd8c78ac83f06a077f36c0b5161ef5e837240414899063a2038d6bdd48469e1007cc982f0fc0d105a9e04877d2a0a97b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd4e95a2eac937e7d941bef1c8ab71c2

SHA1
778cdb1f78bccd2df212db94ffbadc1b50d18f0b

SHA256
d702dd323718accf1c7a1be389089b5323a60b0c31221c808f8fa1f9ec63872c

SHA512
2032ab8982b7e38fca3ca432b0f6096c845624e11475c5211ea5a6419d7fbb5a73943654be230dbdbd67f8c6f1d61cc4a127fc1b0083153eed1033f9432efa26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9a0f5be3f2f973b8c76856b3a362cb9

SHA1
5ff2ddf6dc666da8de1f5ce0b208dca2c7012e74

SHA256
3a20fe736839d78300c0894394a50a126913fa435583a06de7899d6ab9c9ed19

SHA512
9c8c18ae95b4deea65d1b0797d1d6bfee718c356a78895c9dd3ed160ea7e2b024bb75b5a9d3ddfcdb5c0579b28565305f68d24f6a27140d89b6bd31dffdfdd4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55e2f7a175bfce5599e7113e9436f426

SHA1
d553ae4bfdab42ab65958468f1cb7a173e89483e

SHA256
8c80c715fe18f9e3ad568b06ae19fb17d841e7e71ad5a3ca02e1180baf7bb021

SHA512
7a26655028c64fb6b784f86b5b41e61f073f67aa7137e1070a0f025d065edbbdbb399f3a40249594d882866b8cf6b3c5d9b8203dbe2ff3688da56a3e641d336b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82361d4735c1d641ca99f63a78fbb6e8

SHA1
f103876d15bb8f6cbbaff9982cfb283fe23c69fe

SHA256
721a953270d023acdb5f1f2422de35037385ae9ea3f62e05875a39724f27303d

SHA512
28df9e5056057ccd698977f8ad9a083407771c4ebae7a2938fb541649375e0ece23b533a0e7fc43597c26d0d269a46640d1e429e3a8f6ab84b9b5074186a9c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
670ffae469a91706ccaa1a91ea9a7895

SHA1
5c486f6ad353a2a606d0f598daf86a70575a65d7

SHA256
af5a0880924636a5ab44609ec82e7427e5a30e8a9b209d27be5772d4e82b53ea

SHA512
876a70d9f9b5e4d35d3889fd96b168bb9d4c091a32c12a649f1f4f158c621bac1e55a8c7a04baf365aa2d512594599476b225d7a178e2c14ee1997dcd079a8fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8cf645b75814399a9b1c6506179e2e0

SHA1
b22fa44df7fc8285508a989867664969ee37cf79

SHA256
51777f93bf48ba83a8fe0a011209ebc106a53ddb49737e412b9011d0258e9e83

SHA512
79234093ce5f2519581ea7cee36caea711d50a6d7aa5cac9a07d323e094367b0e12218e51abcdc9dcae0564f003f74dd9a83e84aefd3a45afd777164aee2bc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7199d06666b556fad5fd54386ca4458f

SHA1
d4429ed7b2870be31c6b160f5d81fbb3500a8fa2

SHA256
c5f0bbcf0dce48cd1a6275d5656715601d6d11269f6a55181e0f16abdb08ec84

SHA512
2651b07b0769a36bfc09e31e34a3be016d3140f95d4f3a0f2f6668de94e5341b2b375e84a7659b8fe40e11ba0238f11e49db4bc8b7db55f841b890eb03bf1ce9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5adf0536997a57a6d59d3700338e0897

SHA1
94f7ef5643f0ce5fdd4c15e016cb6d94935ed2ad

SHA256
63b1d7b43901a5a1245b2b20d63cd051ce820efcef86ef6b9fc4a8138e36d3b2

SHA512
f39cba994a2f0889ca7a4c1dfd24c9276eecaa5bb8b031f74b5f46b9f98d70e2ab61f0e03d30e5daf0b04858bceb28188a0e7ddab443df7b70c9c09624ccfaf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b0b60a0c0f6689ea5d61544702f8f5a

SHA1
94226adb93bfaf70fb24d0bf01e64d33d475ca05

SHA256
ba44c453b9c67b7b09ce3e487ac4018d4b0def1579ac8197d74fbfbd80eaee6c

SHA512
d8b6ce2d3220cc01fe4959ee4e809062236465836a9ccd263437cec09d4bb1572d956db420d23b6dd1d7a7b4c0f35cd1ed34066316ae2ca53a699b8747b45d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69fa8f80466e28479daf7187cabb16b8

SHA1
0df4feff68b798337ee8b5f6287d8dff3aed9456

SHA256
7d3646a0b16cf84469f2fea7923c17400a67742a76a02393dce866d01fbb5dae

SHA512
36a09bcb0f2f06fe79d5c093df80bda64c2db8ae25abe4a779b4cb791e444abacebf47b4f71891256011b53bc7473eda89b0f7734d09ced7da72643f8cabc79c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28e5ee94d739e048ecfd2aec1cb8e5d8

SHA1
14f7b045ffba52cad772e62938e10c673c166cf2

SHA256
10a0e5937a75799b96dce6c647af9ce61aae0089bc74a1d75d837955866718b0

SHA512
5e611c9f434816d66ad7d827140b23ebe06f1a416541da7e2c508bd77bf60b5a277b6fb33c01521ecf9d79fb7f6ffb091f211cfa25453ddea57880f10bface96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b6d62d681d08f5bc2891f98f20bfda8

SHA1
07c743bfe0b73da1c77d45a5e9d1854e0e397a84

SHA256
d36583a90150b1e2446c98cd2ed187769787ef73f864a709347eba2e98ddecab

SHA512
d9e3a63bf8c2a2b2ce1de3ca0b37aa657a9e25303b555004f48c8d65e523e5797835a077dde72b7975675287f6fc0d45267d89e50b31cdb037a6e190abe04aa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69de27c72074164126c5e93f832d9992

SHA1
f19e6dc3eb8abf39e659fa79e56a9b351449f0dc

SHA256
0ceb0f3d386bd1b3199dfc7a385874aa40cf371740f13ca4abdb1e3495b165d9

SHA512
be041d9a225fcacae94571f8013392706d1c3cfdbdc2658e2ad7915aa386fdb10a9b8e8ad4c7d2e31cb557f3531ed308fa4c6dcad90016413555d7b0694342e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2af1fed403a7b3a88c02eba9c82396de

SHA1
65d47076353a6ee9c7b3165b56916996d17beda1

SHA256
b83114652abbc5ea373a60e40e63a4dd1bf771fdf3883d9dadb2550d144859e3

SHA512
eddbafbd89e3376823b74ec8dae84f3cbf07c8e9b2f85212d7934cf1f4335b9d244dbd79bcd47d08500a2fae4ed0d2d1b1a10160f64952816bceb29d523335d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
426eac69943bb933d88cdf73a507942e

SHA1
52ebf41cc597f7d973d17847fa7ece09123cb300

SHA256
5c62486ff976b44ac3e56121c38fd0742ecb4d5d17522ff4364a3ca380c20a6d

SHA512
2bc90b1d4d33525d62df4e8a9b8651c083646bfeedeca2b6faf51abd02072e8881abe6bb3f7143009bd4816f0c5f6373d6dca12c77380c138622471319887948

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
508a9c302d173336ffa7bd1b8484d504

SHA1
fd85b63ae73105448de20e5fe53ee5376210d495

SHA256
9849393a5fd1b3e4c8577eca27246de7615b43bf3593e20957130fb72316dd02

SHA512
06387c1ff3f42b29067e82fe1b8a3b8fa73e96fa4e178d0559c900c71903f73d838ddf09b2da9cb52214ea4e871306829174bda37220855984f7b27b82708da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab233.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2D4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\svcr.exe

Filesize
3.5MB

MD5
fa1f98dcf2716597118c4b5631c2779d

SHA1
416930b507b2f949dd970b8f706df756f9dee66a

SHA256
e62f391e03b142a6c43a755f8c7bdbe06d67cfc6366bf982e7c58caa18ed8e03

SHA512
7426a4c3f20f50677025526dd18fd2319a8360843147ca54f54649b544c923375a04213f5307889032b0249d73d48d2e1fa9e3c7fec0b23af95c64642db16be2

Download Submit
memory/2648-2-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2648-0-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2648-1-0x00000000002E0000-0x00000000003C6000-memory.dmp

Filesize
920KB

Download
memory/2648-10-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/2648-12-0x0000000000401000-0x000000000040D000-memory.dmp

Filesize
48KB

Download
memory/2712-14-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/2712-17-0x0000000010410000-0x000000001042E000-memory.dmp

Filesize
120KB

Download
memory/2712-16-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/2712-13-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/2712-25-0x0000000000400000-0x0000000000787000-memory.dmp

Filesize
3.5MB

Download
memory/2712-18-0x0000000010410000-0x000000001042E000-memory.dmp

Filesize
120KB

Download