754a1194c21c5f50675f0025927d6fcd8eba11047b9fc6a1c028f4855052c1b0

Analysis

max time kernel
76s
max time network
85s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04/10/2024, 08:17

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

JJSploit.exe
Size

29.9MB
MD5

a9f34d2e77c7888957c8880f367398e7
SHA1

201dd7c2965be5ae88119a22b61436506e0650ef
SHA256

754a1194c21c5f50675f0025927d6fcd8eba11047b9fc6a1c028f4855052c1b0
SHA512

c47f73924417bf7775624d46ac359ce8b5cc3b2c5cdf5e15f35f9f6e9c92543de3721bd87cb9c3d2ce432c9dd5a5a06b6ac041a844ebb31890f3c4310aa271e7
SSDEEP

786432:tgyT3lNSvjF5mPvxw8r+m2tMT8mWDACjI421oyJ:tgy7DKjFGktYHXCE4i

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2448	vc_redist.x86.exe
1896	vc_redist.x86.exe

Loads dropped DLL 4 IoCs

pid	Process
3036	JJSploit.exe
3036	JJSploit.exe
3036	JJSploit.exe
1896	vc_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨ (2)\UI Design 2016_Keyboard_icon_74_786.108.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\UI-Design-2016_Keyboard_out_135_1034.361.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Language\tc.qm	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\REACTIVE\UI-Design-2016_Keyboard_out2_41_460.495.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\UI-Design-2016_Keyboard_out_82_108.205.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\1123\UI-Design-2016_Keyboard_1121_158R_1056.240.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\UI-Design-2016_Keyboard_1212_09_600.580.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨\UI-Design-2016_Keyboard_1208_189_1041.341.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨ (2)\UI Design 2016_Keyboard_icon_11_373.274.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨ (2)\UI Design 2016_Keyboard_icon_75_834.108.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\ARROW FLOW\UI-Design-2016_Keyboard_out2_43_267.495.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\UI-Design-2016_Keyboard_out_75_47.112.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\1123\UI-Design-2016_Keyboard_1212_03_766.202.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨\UI-Design-2016_Keyboard_1208_70_714.264.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\ARROW FLOW\UI-Design-2016_Keyboard_out on_573.543.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\ARROW FLOW\UI-Design-2016_Keyboard_out2_30_267.475.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\ARROW FLOW\UI-Design-2016_Keyboard_out2_45_460.495.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\fully_lighted\UI-Design-2016_Keyboard_out on_437.470.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\1123\UI-Design-2016_Keyboard_1121_264ON_970.480.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨\UI-Design-2016_Keyboard_1208_119_502.302.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨\UI-Design-2016_Keyboard_1208_82_1041.264.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\other_back.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\UI-Design-2016_Keyboard_out_72_R985.281.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\imageformats\qjpeg.dll	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\1123\UI-Design-2016_Keyboard_1121_116_39.204.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨\UI-Design-2016_Keyboard_1208_226_685.378.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨\UI-Design-2016_Keyboard_1208_56_406.264.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨ (2)\UI Design 2016_Keyboard_icon_96_998.237.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\WAVE\UI-Design-2016_Keyboard_out on_573.470.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\UI-Design-2016_Keyboard_out_126_1008.338.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Language\thermaltakeupdate_zh.qm	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\1123\UI-Design-2016_Keyboard_1121_238_292.356.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨\UI-Design-2016_Keyboard_1208_25_791.214.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨ (2)\UI Design 2016_Keyboard_icon_1_252.311.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\ARROW FLOW\UI-Design-2016_Keyboard_out2_62_649.520.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\WAVE\UI-Design-2016_Keyboard_out2_52_438.520.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\UI-Design-2016_Keyboard_out_53_56.152.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨\UI-Design-2016_Keyboard_1208_220_570.378.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\palette.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\btn.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\UI-Design-2016_Keyboard_1212_16_569.666.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨\UI-Design-2016_Keyboard_1208_188_1003.341.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\fully_lighted\UI-Design-2016_Keyboard_out2_45_460.495.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\WAVE\UI-Design-2016_Keyboard_out off_573.470.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\WAVE\UI-Design-2016_Keyboard_out2_55_649.520.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\1123\UI-Design-2016_Keyboard_1121_113.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\UI-Design-2016_Keyboard_1212_07_609.651.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨ (2)\UI Design 2016_Keyboard_icon_50_325.159.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨ (2)\UI Design 2016_Keyboard_icon_65_401.108.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\WAVE\UI-Design-2016_Keyboard_out on_437.470.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\UI-Design-2016_Keyboard_out_44_386.78.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨ (2)\UI Design 2016_Keyboard_icon_37_382.197.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨ (2)\UI Design 2016_Keyboard_icon_48_248.159.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\fully_lighted\UI-Design-2016_Keyboard_out2_58_484.523.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\RIPPLE\UI-Design-2016_Keyboard_out on_437.470.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\RIPPLE\UI-Design-2016_Keyboard_out2_52_438.520.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\WAVE\UI-Design-2016_Keyboard_out2_39_267.495.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨ (2)\UI Design 2016_Keyboard_icon_82_834.197.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\fully_lighted\UI-Design-2016_Keyboard_out off_ 437.490.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\fully_lighted\UI-Design-2016_Keyboard_out2_10_268.412.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\WAVE\UI-Design-2016_Keyboard_out off_573.543.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\·s¼W¸ê®Æ§¨ (2)\UI Design 2016_Keyboard_icon_63_324.108.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\eff\fully_lighted\UI-Design-2016_Keyboard_out off_437.470.png	JJSploit.exe
File created	C:\Program Files (x86)\Tt\X1 RGB\Image\1123\UI-Design-2016_Keyboard_1121_116R_39.204.png	JJSploit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3280	1896	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JJSploit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vc_redist.x86.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "253"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3036	JJSploit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5540	LogonUI.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3036 wrote to memory of 2448	3036	JJSploit.exe	78
PID 3036 wrote to memory of 2448	3036	JJSploit.exe	78
PID 3036 wrote to memory of 2448	3036	JJSploit.exe	78
PID 2448 wrote to memory of 1896	2448	vc_redist.x86.exe	80
PID 2448 wrote to memory of 1896	2448	vc_redist.x86.exe	80
PID 2448 wrote to memory of 1896	2448	vc_redist.x86.exe	80

C:\Users\Admin\AppData\Local\Temp\JJSploit.exe
"C:\Users\Admin\AppData\Local\Temp\JJSploit.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3036
- C:\Program Files (x86)\Tt\X1 RGB\vc_redist.x86.exe
  "C:\Program Files (x86)\Tt\X1 RGB\vc_redist.x86.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Program Files (x86)\Tt\X1 RGB\vc_redist.x86.exe
    "C:\Program Files (x86)\Tt\X1 RGB\vc_redist.x86.exe" -burn.unelevated BurnPipe.{252F5F27-C4EB-4CD6-A513-8E4E9D809A26} {D4B3A8F4-56AF-4793-9321-D3A7DED0CBD6} 2448
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1896
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 816
      4⤵
      Program crash
      PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1896 -ip 1896
1⤵
PID:2076

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a0c055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tt\X1 RGB\Image\1123\UI-Design-2016_Keyboard_1212_03_888.202.png

Filesize
1KB

MD5
88ffd92d9bf7a04d3b3b0325ce69b9bd

SHA1
03c19145a5b3ecc3eecd96bb91d8af19be5fbe5b

SHA256
c9145311e2b90bbeec496227fb00fbf05385f6fbda5886a1245630c0c3eb212f

SHA512
27d8dabc06299b4f33cf68e382d8c8d30077e41d44ac22653236dd2d7b336228ea03caf288441f9e9eceeaf689b6fa41685d2c18cf1cbbf516168ff0be9e9d33

Download Submit
C:\Program Files (x86)\Tt\X1 RGB\Image\CUSTOMIZE_1212\UI-Design-2016_Keyboard_1212_16_569.689.png

Filesize
1KB

MD5
589f82da14c5a18751b5cf891bac784d

SHA1
164efc3e96fb9da6c69e415918df361f94c56adb

SHA256
36a7c00e09defe853ea745c80ee6f2f171c1e1e77d6f882a1125ba3a4d682698

SHA512
2c8947c0310efaeb58be3c7c2a1f89b3dd92b8c0c2f0817b9514ba76e30f3fb884c7cd5ccf19e13f64aeacd93133723fb8867a3d2ac7c1d64b09220199a01320

Download Submit
C:\Program Files (x86)\Tt\X1 RGB\Image\UI-Design-2016_Keyboard_out_126_1008.338.png

Filesize
17KB

MD5
ea40c26f27ac1ded01f5db46985f2df7

SHA1
b94e111a1f3d57a1bc579f6cdae7cbf5e412a51a

SHA256
d8abec5ed8d005a32b5199493f0416ebded758a9abb35aaa1895d4f4acb1cfbe

SHA512
00c1e39fbd986c31c2e715cb323a6e3360c30724c1c659bf65959fa0c953894f860c40bb1206e73d4b1d455b7855bb39ec2445139073c5b840e1437b2bd291ae

Download Submit
C:\Program Files (x86)\Tt\X1 RGB\Image\eff\ARROW FLOW\UI-Design-2016_Keyboard_out off_573.490.png

Filesize
17KB

MD5
9a52ba43bec745cbf3e073b9dc9e92a6

SHA1
584342d1a80a42a8589bf41501a5272299cd965a

SHA256
a8002f0e06410e229a71c5c9579d922be5a58239a94d9079b3eaf46a62c8a5a8

SHA512
c46a269b33e72d368e4d786c2de54f7d10a0f6a4fdb1502effb6c1edcb655df6d87c75c10678c53b5d20be36ff06a330de2f69509f889208f0e1911d4a677778

Download Submit
C:\Program Files (x86)\Tt\X1 RGB\Image\eff\ARROW FLOW\UI-Design-2016_Keyboard_out on_573.490.png

Filesize
17KB

MD5
b406ab287a65d5df0c9b0d33d7fb332c

SHA1
0a660e8a9deac44e249755a24ccb798edfa715bc

SHA256
5449a3914daef51c6d76d11d4741ad9201fecb49a337d2132fbbac46d896def4

SHA512
bf6f6ec48468415bffb5cbfe2694d7fe21ba4c654f782140c47be08838dc2d036da882a37ae1aae04844505c0c22c8a02b84599574204bc8bd5bc3091998d8d4

Download Submit
C:\Program Files (x86)\Tt\X1 RGB\vc_redist.x86.exe

Filesize
13.1MB

MD5
1a15e6606bac9647e7ad3caa543377cf

SHA1
bfb74e498c44d3a103ca3aa2831763fb417134d1

SHA256
fdd1e1f0dcae2d0aa0720895eff33b927d13076e64464bb7c7e5843b7667cd14

SHA512
e8cb67fc8e0312da3cc98364b96dfa1a63150ab9de60069c4af60c1cf77d440b7dffe630b4784ba07ea9bf146bdbf6ad5282a900ffd6ab7d86433456a752b2fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9897.tmp\InstallOptions.dll

Filesize
14KB

MD5
3e277798b9d8f48806fbb5ebfd4990db

SHA1
d1ab343c5792bc99599ec7acba506e8ba7e05969

SHA256
fe19353288a08a5d2640a9c022424a1d20e4909a351f2114423e087313a40d7c

SHA512
84c9d4e2e6872277bffb0e10b292c8c384d475ad163fd0a47ca924a3c79077dfde880f535a171660f73265792554129161d079a10057d44e28e2d57ebc477e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9897.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9897.tmp\ioSpecial.ini

Filesize
814B

MD5
47e977fe3050c01311a8ecf26ea7e020

SHA1
3cae866fabd840cad4e9f0e3e5b6f77f40d3b413

SHA256
dbb2da9bd54cca63c362b2da37dcafd8edaca152c6967555462a7429b9762e4b

SHA512
f8ae1140bb53160bffec244605d6304c90e59b8deb993e5fb12f4b730705d0d4c0c96f5e09711bb770dbbde8b66c98f0327a5ca7a740fb9adddfed494403823c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9897.tmp\ioSpecial.ini

Filesize
698B

MD5
37fcda91abb0536bd16c5e408668c130

SHA1
6c29c3bad4b80b83f2ec08fc735ec5daeb5c720c

SHA256
fd201cad8a74a56453fb05af9e2d4ac2aa25de469af1869fab159d61199ce115

SHA512
aaf362338aa7db66a2a9e2ee928a49c75aff034f36a9c54c38537cd5f462869828abc798772c0bdb89ba26a428e5d0148e48cfdfbdc18e0c972d8e98df65b845

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9897.tmp\ioSpecial.ini

Filesize
685B

MD5
b7dea72f71f8314182205236cf9c90e2

SHA1
b8e1ecca364c34b1692802f5bfe4048ca73a9bc0

SHA256
d790a4f6b2acd9d9f4634f9889f020e145dce6387b94b4e229af62e21cb9b9b4

SHA512
e575baf7419ba3ac96f8c3130035446cbeb98e3aeadcce947092cf35fea1416c5bae5537c526f1c44cb5f81730ff282b3bdaff9bb32159eb2301216983532a17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsm9897.tmp\ioSpecial.ini

Filesize
788B

MD5
b8fc4e4923235d320a85b8df4e6c0287

SHA1
3e6248b85e876cc666e884d5b6ee1f6a96c2f1d3

SHA256
a5bfc872fb9346d99ff9049db6870089c315944f85e5c30078288981dda37d3e

SHA512
bcb879d454200b0fd54283fbec6038171e116781e07560bc35003ae5c99ee7c4d18f7e40017591d99a4442218b2778850dbba2725e057a7463de9da57b3df6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74d0e5db-b326-4dae-a6b2-445b9de1836e}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
C:\Users\Admin\AppData\Roaming\Tt\TT_PREMIUM_X1\PROFILE\PROFILE 5\lightfile\CUSTOMIZED.ini

Filesize
722B

MD5
e24d7570c77f2387010a9fbf293549e1

SHA1
9eab100519cb3527ad3ef6e870b40daead1d310e

SHA256
84951eb0324cd5e17412af370652a701f7a5aef6c3f124ff38a09b76bd80c696

SHA512
4c1079f6af1f774030be4a856b10d8b4a3073b14ea8d2f647d35ef8a47fa3a54943cdeff48fba5b06fe8867bff825bdc59009d9e2f988273ae30abc8df0b5086

Download Submit
C:\Users\Admin\AppData\Roaming\Tt\TT_PREMIUM_X1\PROFILE\PROFILE 5\lightfile\light_flag.ini

Filesize
863B

MD5
fb051252a2873f1d939419bc7fb80cb6

SHA1
2ec2d50d477cbebc7c72290be4fce2cc396f021b

SHA256
68c45c9f21ee9bb3435783e0a4a52d3da4668799dc1d7e61bb5fd469618439e4

SHA512
4686a64c5d84ae0d8d2c1fa8a007b8411aff547131a11070210033a305ecc86cdaf4badf26e908fe965b7b3338cd7ccb12593be874c86c0a8e44552d873f3ce0

Download Submit
C:\Users\Admin\AppData\Roaming\Tt\TT_PREMIUM_X1\PROFILE\PROFILE 5\lightfile\pattern\pattern1.ini

Filesize
164B

MD5
47f4115f78a3d122959bc58f6875b28e

SHA1
73293415f3c54e71083575816ec90146d96b4b61

SHA256
dae505b47b4cefa5e60f20a3c2bfffc70beb9ae7c75530b6e46a3358afed026e

SHA512
f7a94565102fc4877f5b913a32c1571970ec102fcd438016b1ef20b2df6b6c82a9d79872f72afa2592d7a645afc47ddf7a771717dff7fe6685a3f38276c91bf6

Download Submit
C:\Users\Admin\AppData\Roaming\Tt\TT_PREMIUM_X1\PROFILE\PROFILE 5\lightfile\pattern\pattern2.ini

Filesize
172B

MD5
608a91b71d843423a7cf51b8e79a786b

SHA1
cebf832fc8f320c5498ea8bdb383769c8de86896

SHA256
3312e234eaa187b485d1c024d3a5356716819f8eb89261467e11a9995597d105

SHA512
33694ee558750abc2b3657e926173827f3bffabebfba0cde1809f4fad3cf456c3994b6b9067c81f66f0d9e3b0375d736614f631cd4509936988262c8e11204b5

Download Submit
C:\Users\Admin\AppData\Roaming\Tt\TT_PREMIUM_X1\PROFILE\PROFILE 5\lightfile\pattern\pattern3.ini

Filesize
171B

MD5
94240ba9bdd530d2601e770e2e5eca69

SHA1
a78f2762ec61170798a699cdf0743f7d44eff1c9

SHA256
0a7a937460404a195160c841688e004937996017b166f5402b62d512277d67da

SHA512
67c14d49c1de52994629861935d36bd407bb22b001e1b080e313876dee9487442b331c8b80762241ac2d827e7e555ef63041079fd574c9b62a1701ebe530cfb0

Download Submit
C:\Users\Admin\AppData\Roaming\Tt\TT_PREMIUM_X1\PROFILE\PROFILE 5\lightfile\pattern\pattern4.ini

Filesize
167B

MD5
6860e0aa4b73fb814ef0886c36a7646e

SHA1
144361bd412d82124d7dd35e72850e0d731a4308

SHA256
1c4b428591ae5a1181da645a93794f4f57d62cb7c6a305718a0d4184e7069bee

SHA512
cf273cd8056ee00e73c4ae3dc55318862ad79253b07cbd8b111b259ab81d6d21d2c000bfdcbf9137640154d83ebd0cc6968ac9069a7d915d4d5eaa9a341ea48b

Download Submit
C:\Users\Admin\AppData\Roaming\Tt\TT_PREMIUM_X1\PROFILE\PROFILE 5\lightfile\pattern\pattern5.ini

Filesize
175B

MD5
71ebc1e2631b5c4229699eeb4a016134

SHA1
d913b059f6dc281fec3f4e7c45fe52da72e2dbaf

SHA256
92e08166360b09e5e2da62fdc803a4240ce71a7bd5bd516dabe3d4e5d6d689bf

SHA512
8d2526fa5922c609671c15c9b703c5be21f7c00963526a3af302999abfe6612f16f9c71bcf16aa01fe2e0a6314a37ab4f1efc128299c1f7c155628d442de3435

Download Submit
C:\Users\Admin\AppData\Roaming\Tt\TT_PREMIUM_X1\PROFILE\PROFILE 6\lightfile\light_apply.ini

Filesize
108B

MD5
a633b60d8c57cc53380122a1a4222492

SHA1
87c6f85a4c7c4862ae75918037ff42f64b8a8fa0

SHA256
17dbc502c2c987894707649c8dc0b75a0e4f97bc4d66be1a270b16c6e37b0640

SHA512
a8323d5a9ac75d6f51b6499f5a658f6c365d62cc5a47fba5cd8b1c7eacf9b711f76edd935cfff020455e958ea1c264719058fad04c0b7b2e4b4cada0a5acdea4

Download Submit
C:\Users\Admin\AppData\Roaming\Tt\TT_PREMIUM_X1\PROFILE\PROFILE 6\macro\macro_file.ini

Filesize
467B

MD5
cc7ab758c73e7572b63a63fc58f9378e

SHA1
b6883004a42a5b24e783829089b112070663aef7

SHA256
4ca6100cf42f2763582aeda22ce27fdd9bf8b5a830b597ce79a0232ca53c25e2

SHA512
25932ae0c3d669acaa25d67e0b163b78401cfd85d98ecc7a94a6ac5e97b274e31e814aac3ed44d4c8485b72a4fa65a93002768809a599ac09bf3730144e8cba3

Download Submit