e45963c8dd68cc898fe8a417c0783dc5411ceb8eac5a2394fd4429c13445263e

Analysis

max time kernel
141s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 10:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe
Size

196KB
MD5

0a43efcee727bbefa164c960e53ce180
SHA1

68d8a2028a30b2d755149b094726f1c9f23c03c8
SHA256

e45963c8dd68cc898fe8a417c0783dc5411ceb8eac5a2394fd4429c13445263e
SHA512

0c00980f49f440c35aa0d792a604e93d7219d34c3c1757a81cb6660cd9a92119fb9927025f96c0ccaf441ff66608e95bd5c90c454e0af35f8278ddb17c45c296
SSDEEP

6144:Jn2HWTBa+bX2mfnotMtqhVK+XaZvEIxy:Jn2HWTRXreMtqpovc

Score

7^/10

discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000014714-17.dat	acprotect

Executes dropped EXE 2 IoCs

pid	Process
2976	Winad.exe
2836	WinClt.exe

Loads dropped DLL 7 IoCs

pid	Process
2408	0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe
2408	0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe
2976	Winad.exe
2976	Winad.exe
2976	Winad.exe
2836	WinClt.exe
2644	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winad Client = "C:\\Program Files\\Winad Client\\Winad.exe"	Winad.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ide21201.vxd	Winad.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000014a05-6.dat	upx
behavioral1/memory/2408-8-0x0000000001C70000-0x0000000001C84000-memory.dmp	upx
behavioral1/memory/2976-21-0x0000000000260000-0x000000000026A000-memory.dmp	upx
behavioral1/files/0x000800000001471c-19.dat	upx
behavioral1/files/0x0008000000014714-17.dat	upx
behavioral1/memory/2976-20-0x0000000010000000-0x0000000010039000-memory.dmp	upx
behavioral1/memory/2836-24-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2836-26-0x0000000010000000-0x0000000010039000-memory.dmp	upx
behavioral1/memory/2976-29-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/2976-30-0x0000000010000000-0x0000000010039000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Winad Client\ClientCom.dll	0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe
File created	C:\Program Files\Winad Client\WinClt.exe	0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe
File created	C:\Program Files\Winad Client\Info.txt	0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe
File created	C:\Program Files\Winad Client\Winad.exe	0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Winad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0D6E9A91-80AB-11EF-98F1-4A174794FC88} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434027630"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2976	Winad.exe
2836	WinClt.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2584	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2976	Winad.exe
2584	IEXPLORE.EXE
2584	IEXPLORE.EXE
2644	IEXPLORE.EXE
2644	IEXPLORE.EXE
2644	IEXPLORE.EXE
2644	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2976	2408	0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe	28
PID 2408 wrote to memory of 2976	2408	0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe	28
PID 2408 wrote to memory of 2976	2408	0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe	28
PID 2408 wrote to memory of 2976	2408	0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe	28
PID 2976 wrote to memory of 2584	2976	Winad.exe	30
PID 2976 wrote to memory of 2584	2976	Winad.exe	30
PID 2976 wrote to memory of 2584	2976	Winad.exe	30
PID 2976 wrote to memory of 2584	2976	Winad.exe	30
PID 2976 wrote to memory of 2836	2976	Winad.exe	29
PID 2976 wrote to memory of 2836	2976	Winad.exe	29
PID 2976 wrote to memory of 2836	2976	Winad.exe	29
PID 2976 wrote to memory of 2836	2976	Winad.exe	29
PID 2584 wrote to memory of 2644	2584	IEXPLORE.EXE	31
PID 2584 wrote to memory of 2644	2584	IEXPLORE.EXE	31
PID 2584 wrote to memory of 2644	2584	IEXPLORE.EXE	31
PID 2584 wrote to memory of 2644	2584	IEXPLORE.EXE	31

C:\Users\Admin\AppData\Local\Temp\0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a43efcee727bbefa164c960e53ce180_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Program Files\Winad Client\Winad.exe
  "C:\Program Files\Winad Client\Winad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Program Files\Winad Client\WinClt.exe
    "C:\Program Files\Winad Client\WinClt.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2836
- - C:\PROGRA~1\INTERN~1\IEXPLORE.EXE
    "C:\PROGRA~1\INTERN~1\IEXPLORE.EXE"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Winad Client\WinClt.exe

Filesize
12KB

MD5
fc4b6d983daca2cea1d74db2aaeffccd

SHA1
33401ea019e4ae8834289aad7f9b38cb3defccdc

SHA256
1e4d54da1613b0ea8cb2c20ce8c64f489b79e09124c584d91c5919ec76bd80aa

SHA512
84bd39b60c1eb82a1c4bc92dd503341d60300270af95d06173736ca533f66e28c3013c9e51a3b07f6f28a93a09a524bc0ace2f0031f7fccd535a3437429e789e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cf934a589c543a2f73e59d818090be4

SHA1
4e01af96ac7f107631ac953d47345ab188c4c3b4

SHA256
430f217ade29fa4c8c8fabf15430059973d813f1f3badea50fe4f1d8e9b9abc6

SHA512
38867947ca36aa90b5cea3a36483dc962633067657bf95031d30221bc8af1fa557bd9f0af3c405806392c14038e4779c9d75ba1453ffef05777cb1af97cb6f8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c24227e2f02549a7223773704c29511d

SHA1
61430624fd37e08a871c04f8d84afe180760d5ba

SHA256
5e15e7fc0e05e7d97bdc27049a0001d557a74514f0aa27bfc9cfe5ef82433457

SHA512
539f28353a5224ee60591fffba0fdfe610a57a5da70f30dd7aced9daa73e562358b07ebcf4825e3bbf10081dc38e08abcdb54043e93750dfe5498067cf581a19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f9f744e44ad082c224b68dffa72e71f

SHA1
8afedc639723836406f7e56b21fc3af75386e213

SHA256
0cf1b2dc0c2c3bbb289b5177babd68ef1b06ebd5d24e3a817e64d55d008df04b

SHA512
2a9b77ee1b5c7c88973c9d87d86b74e36c972a2f9038af104a54d9a243209450b3d32df9697442951a9375cb650d4116d3a253b0958b2cea4e9e5079e51c5742

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42f05c185627dd3fb34ee1f9c03a692d

SHA1
cd5d8ffd7c2f4a65bb38295c038bac725a6e2c44

SHA256
99982cef54f4a7cfc45cb5ecaf51192fadabbde6b2d6e83f4c4cae95eeda9539

SHA512
b429263ff213ac2f64f548736b5d16b61cdda24416d82f15284ba4132e94027c66280273f6d79a3c1837c977a01335e62370991f96f026e603ce6fba9b3b0209

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
318db6564762fc84854dc11ddd8ec4db

SHA1
6396c4a27cb91e3412a2c3c510f529bb1b3a664b

SHA256
ba41f6491e469c3e2d03ad25bf125a2a8b73a09d709c50dad967926016e90e3e

SHA512
94eabfbb417ff6578d37cfeec3d102bb412743cbe0d705667d09597f279f8d5f92fe64208d830baa6b287b9c12eca846104dbd4bacf17506113d5eceed3646aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
009cb8d40d7a006441b35d52ee86cf07

SHA1
50c3a1b84b26b7430721c72766df07b150c82ce3

SHA256
43c1b29380eec2ad9706f6b87dbf854c8df1546bb40742ddb2b220a81959dc58

SHA512
92c443e550da143d4348f3549d76f095a9ba3b1239e3ff7697a1e45457a35f66b08ff9e32cb83638dc156ded410cc4878b2ed3dbac05313b862f0feb7d853d0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b628161dad3439c28453e60deec04e53

SHA1
4641bef8d049479c99afcc21c26e1f726edf4ef1

SHA256
5d20b5e64ea61f6d18d31918b38db1353c88a8644bad993617d3c4529f1aa94b

SHA512
5ba566bff80bde9e6dedf6f229ba583bbc628646cc943a2899d37a438e617964fdb4f1d09f0085148d4d577664984703d4176eee25c851b3ecf052b4c9cdee89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13ed628b3610693d599f186e3eed338a

SHA1
15b702e87977fb3ca33508ce51b45a871a62be9d

SHA256
2d4147d3ca58bdbac47369491be246b5c9f3b3429d82329df0279ed89fcc865b

SHA512
eee98e2566b24cd1fd0cea39e8ca2ba50d8d375ad6be329957e12f3d478c8cfa6f806e755d5b68d38ee21bbd2952f3ada1b58276a4a0a9dafd0d58bb8e6e2b6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7727c73067e4a77553b16658c28047d4

SHA1
8e146a80262824ccad8daf8954461fc2bb0cd21c

SHA256
4a0cd7c98ca3ed18b5ceb587f5bae63ebc5bda1c564c903a75c690e562b35926

SHA512
2c3eb5ee15e03ae55e91d742be0345e77252ea942aae0d08a991db1ed727d22af89e7edfef10810dd8bfc51a9fd223447ae65a5287debc6832090bdc63ba4c78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0b6152cbd25cad3bca1e3994d1ac91e

SHA1
00426fbebd21b3c679104534a62bbeeab290ee13

SHA256
1c721f6ea1e0182c29f9c65e45a6fc86472e3edc41622e925cf363aa77959f26

SHA512
2d65b19717673d0f7948e81fea4c3d5aed7defb5866e3add0a7d6bedac4b24b213cdc3ca426f183f7fdf5e67e9f3c936f1535d4d0eeb8921d3f1bbcb8269cccb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd212ab3d6e9021cecfbb57fd4a17c6a

SHA1
10049d883c2326f7d6b191eb5c89b68c27a20aa9

SHA256
9719e0a74210ef6862d324c9312ab71e42fd8facba209fa59f82f28aebfad5fb

SHA512
1d75266288ac57595362c24e000458b34490b90ce4ca03ab54d3c5aa973477528c1d28bb22fc0c003b7eed2c90e4f0b04b89960aeedec87a58b364dcfe5e528b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
041c8270c3d44f7af72bc02c3b558075

SHA1
c56dbb5ee798cf585d47a86cece262b0a7723720

SHA256
a6f456c8e7917441da8dd6943756d1d2f7ccd51ca6fc9c13e252146191e7f586

SHA512
dd046af665434b0667ef5d51c2b2dc9e26482b28342deb2077ffb9be018bef61b11f7e9afd2cd9f1ccfc6c401f526b6dad2c8b6a958535c321a8dc1280b9b836

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e57c43a30638d7b28115e406d070675

SHA1
a95c3037e7a20c518aead0bbe7d9be7b86f626d3

SHA256
03559831a5d3f4960c9b5f67be5571b6e42b6b4385983732e11594c9333b0709

SHA512
3205e1f66413724120eb375e4dc0c8399c91fcefdebb60b13e191539b3e058f32ed49c7b68888f5b54b39790f44249f27f029ae32de24438c2a5d7162eb30391

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6728bb9c84066f283c022c193f6d8443

SHA1
e5f5f0662a23a38995e162f439fe0769cd5ec542

SHA256
693284bffff59660966b4c477299af84f80b7f50a9454d3891967a11c1ebe987

SHA512
e0b5042b9e284011493d3a84a025137c821ca3ea40baa3bb306b99ea44fe7648ff79e4e135f68935cee4883dcb734e03201648ce7c83c66303fd60f3ff9a5f27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c664a2da6e3322594fe4dd6745c6b0b4

SHA1
8acbee586505613325ad972acddd81a00307d33c

SHA256
ebda7f4c287a5025adb228e8a9a1aff36ae98c8df4ada03d0a8aff818519b9f4

SHA512
159334d7232acfd673a949407ada68cf7ebdf4fa3262de3a47e73ce14bce3e679b0866d974f20c7fe1f26db9e0edef638ea4ddd7707931b294f10c47aa0001ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45fa39a4e40681598f4d3212910dc9df

SHA1
d34b0b42264875d3a2a5b26858d89e7936d7feaf

SHA256
d21073c9c21e6579a20a9a6652cbaa53f1a7f64ede3090e90c6978b5b635cc49

SHA512
b6b17d9f4beaba8985b178603e7d8189d6c3af81234de4ea06ae336b4cfa3f3dca1d8ab46a769d9adc25498a17753656e6ddb7f2c1260592e6289006fe161145

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
016ed8ac9656f7b684b4b936a655fe39

SHA1
f8bbd92e049b696b5c15b76d00672d678bef37e8

SHA256
a7d340c08ecf1a4299de156b4b2e2beb96124cb26c21081a1aebfbf6e9020d09

SHA512
d02be48d7a415671133881e61d0e9bbcaa2f49c100f9e96a52b82024795fc73919ccfa34ab12d91728bed7899577cffa21792e719cd2da514e5b8cc79d614d40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29ec951ce354152a55136ffc9ac786c4

SHA1
868c4a373e77d3e6584a9ebc6232e6bd0c752064

SHA256
4db890433f9964d69c68bf383a20bed552efe0d041ca7e48825c29dcb7e26edb

SHA512
5363b432ddb4a6b28d6982b773740a50ae260f959ecb3417c22115db38753bf2e2eae54d7cc392e0b79313166d58dd159bec032640e193ae3af5707b6f37392f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1db6df020f9d0a09e5b742985d67d353

SHA1
aa6ac319a2f26b94ee14d1f3fa2f272da14bbb34

SHA256
0add23763a6479a239d503652ec832c626ec2b54c98dc4cbd6d3f4a973439d9a

SHA512
f3e157de1413236cc20f2cee7336ac6f62cb73815c9f85c9ed18b8f08a8b6d5a40a0071e5364383c27ab07b6e2cdcf105eec270f1009d43311b66ffc88c9089c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6B90.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6C21.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files\Winad Client\ClientCom.dll

Filesize
75KB

MD5
72b6223a604d44f58a63effc3729c028

SHA1
5be0327d56e68873ba0ea206125aa9830061f831

SHA256
38ad24b96bb0618d5945f1717720b1f02b7fd5a0feed21a44995209f7d81b910

SHA512
14801dc37e35aab45d51d974d4d51bf63c90b1887a9061ccbafb004ef5e66e849b8bf29a5e7936e81f20db58e7d6eb72114d05214aabd53853a946d411951515

Download Submit
\Program Files\Winad Client\Winad.exe

Filesize
23KB

MD5
c8ae1b6431d0fa32b346e9ffb381eab8

SHA1
4bdfc7712f467f1f76e7c1008ce0deaac53ddb6d

SHA256
36833bc3a8ee4bc6adaa9e471cf5366d97b33d83308086d3d216338a0964ceb9

SHA512
ca6965b118a3961169b24300e843d8d171a854d93c2e94ff0f37e1c59c0bcd29484a9974245dc939ca7ce1b2688e8ab3f6b34cc6fa3b477a43b25ac56a62cd09

Download Submit
memory/2408-8-0x0000000001C70000-0x0000000001C84000-memory.dmp

Filesize
80KB

Download
memory/2408-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2408-13-0x0000000001C70000-0x0000000001C84000-memory.dmp

Filesize
80KB

Download
memory/2584-27-0x0000000002BB0000-0x0000000002BC0000-memory.dmp

Filesize
64KB

Download
memory/2836-26-0x0000000010000000-0x0000000010039000-memory.dmp

Filesize
228KB

Download
memory/2836-24-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2976-20-0x0000000010000000-0x0000000010039000-memory.dmp

Filesize
228KB

Download
memory/2976-21-0x0000000000260000-0x000000000026A000-memory.dmp

Filesize
40KB

Download
memory/2976-29-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2976-30-0x0000000010000000-0x0000000010039000-memory.dmp

Filesize
228KB

Download